rpms/389-ds-base
1
0
Fork 0
mirror of https://git.centos.org/rpms/389-ds-base.git synced 2025-02-23 16:22:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

import 389-ds-base-1.3.7.5-21.el7_5

Browse source
This commit is contained in:
CentOS Sources 2018-05-14 09:00:03 -04:00
parent 61f723b193
commit b045b9a805
165 changed files with 18242 additions and 21069 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.389-ds-base.metadata
View file

@ -1 +1 @@
debdbca81fda1651bf73e504ca8bc8c1b48a3b59 SOURCES/389-ds-base-1.3.6.1.tar.bz2
77dee99c82e77c3c3c8579b443ebb68e63d51702 SOURCES/389-ds-base-1.3.7.5.tar.bz2

2
.gitignore vendored
View file

@ -1 +1 @@
SOURCES/389-ds-base-1.3.6.1.tar.bz2
SOURCES/389-ds-base-1.3.7.5.tar.bz2

67
SOURCES/0000-Ticket-49164-Change-NS-to-acq-rel-semantics-for-atom.patch
View file

@ -1,67 +0,0 @@
From 70230bf894d9c0150dca8dc6fccc2712187f7b86 Mon Sep 17 00:00:00 2001
From: William Brown <firstyear@redhat.com>
Date: Mon, 13 Mar 2017 13:29:43 +1000
Subject: [PATCH 1/5] Ticket 49164 - Change NS to acq-rel semantics for atomics
Bug Description: We were using seq_cst to guarantee our operations
as a poc. Changing to acq/rel allows us the same guarantees, but
with less overheads.
Fix Description: Change the barrier type.
https://gcc.gnu.org/wiki/Atomic/GCCMM/AtomicSync
https://pagure.io/389-ds-base/issue/49164
Author: wibrown
Review by: mreynolds (Thanks!)
(cherry picked from commit b1b0574d2cdb012ab206999ed51f08d3340386ce)
---
src/nunc-stans/ns/ns_thrpool.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/nunc-stans/ns/ns_thrpool.c b/src/nunc-stans/ns/ns_thrpool.c
index 744749b..a867b39 100644
--- a/src/nunc-stans/ns/ns_thrpool.c
+++ b/src/nunc-stans/ns/ns_thrpool.c
@@ -167,7 +167,7 @@ ns_thrpool_is_shutdown(struct ns_thrpool_t *tp)
{
/* We need to barrier this somehow? */
int32_t result = 0;
- __atomic_load(&(tp->shutdown), &result, __ATOMIC_SEQ_CST);
+ __atomic_load(&(tp->shutdown), &result, __ATOMIC_ACQUIRE);
return result;
}
@@ -176,7 +176,7 @@ ns_thrpool_is_event_shutdown(struct ns_thrpool_t *tp)
{
/* We need to barrier this somehow? */
int32_t result = 0;
- __atomic_load(&(tp->shutdown_event_loop), &result, __ATOMIC_SEQ_CST);
+ __atomic_load(&(tp->shutdown_event_loop), &result, __ATOMIC_ACQUIRE);
return result;
}
@@ -1402,7 +1402,7 @@ ns_thrpool_destroy(struct ns_thrpool_t *tp)
#endif
if (tp) {
/* Set the flag to shutdown the event loop. */
- __atomic_add_fetch(&(tp->shutdown_event_loop), 1, __ATOMIC_SEQ_CST);
+ __atomic_add_fetch(&(tp->shutdown_event_loop), 1, __ATOMIC_RELEASE);
/* Finish the event queue wakeup job. This has the
* side effect of waking up the event loop thread, which
@@ -1491,7 +1491,7 @@ ns_thrpool_shutdown(struct ns_thrpool_t *tp)
}
/* Set the shutdown flag. This will cause the worker
* threads to exit after they finish all remaining work. */
- __atomic_add_fetch(&(tp->shutdown), 1, __ATOMIC_SEQ_CST);
+ __atomic_add_fetch(&(tp->shutdown), 1, __ATOMIC_RELEASE);
/* Wake up the idle worker threads so they can exit. */
pthread_mutex_lock(&(tp->work_q_lock));
--
2.9.3

1514
SOURCES/0000-Ticket-49305-Need-to-wrap-atomic-calls.patch Normal file
View file

File diff suppressed because it is too large Load diff

71
SOURCES/0001-Issue-49170-sync-plugin-thread-count-not-handled-cor.patch
View file

@ -1,71 +0,0 @@
From a00917eec0bcef75180eaf4dd9b360519b9e2644 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 14 Mar 2017 14:35:05 -0400
Subject: [PATCH 2/5] Issue 49170 - sync plugin thread count not handled
correctly
Bug Description: If sync repl connections get aborted the thread_count is
not properly updated which leads to the server hanging
on shutdown.
Fix Description: When connections get aborted we still need to shutdown
the result thread cleanly: remove the req, update thread
count, etc.
https://pagure.io/389-ds-base/issue/49170
Reviewed by: nhosoi(Thanks!)
(cherry picked from commit 770fcf4349ccf9e07ff0e1cf0d6991927ec9ba75)
---
ldap/servers/plugins/sync/sync_persist.c | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/ldap/servers/plugins/sync/sync_persist.c b/ldap/servers/plugins/sync/sync_persist.c
index d0c8da2..667a529 100644
--- a/ldap/servers/plugins/sync/sync_persist.c
+++ b/ldap/servers/plugins/sync/sync_persist.c
@@ -548,16 +548,16 @@ sync_send_results( void *arg )
slapi_pblock_get(req->req_pblock, SLAPI_CONNECTION, &conn);
if (NULL == conn) {
slapi_log_err(SLAPI_LOG_ERR, SYNC_PLUGIN_SUBSYSTEM,
- "sync_send_results - conn=%" NSPRIu64 " op=%d Null connection - aborted\n",
- connid, opid);
- return;
+ "sync_send_results - conn=%" NSPRIu64 " op=%d Null connection - aborted\n",
+ connid, opid);
+ goto done;
}
conn_acq_flag = sync_acquire_connection (conn);
if (conn_acq_flag) {
slapi_log_err(SLAPI_LOG_ERR, SYNC_PLUGIN_SUBSYSTEM,
- "sync_send_results - conn=%" NSPRIu64 " op=%d Could not acquire the connection - aborted\n",
- connid, opid);
- return;
+ "sync_send_results - conn=%" NSPRIu64 " op=%d Could not acquire the connection - aborted\n",
+ connid, opid);
+ goto done;
}
PR_Lock( sync_request_list->sync_req_cvarlock );
@@ -658,15 +658,14 @@ sync_send_results( void *arg )
}
}
PR_Unlock( sync_request_list->sync_req_cvarlock );
- sync_remove_request( req );
/* indicate the end of search */
-
sync_release_connection(req->req_pblock, conn, op, conn_acq_flag == 0);
+done:
+ sync_remove_request( req );
PR_DestroyLock ( req->req_lock );
req->req_lock = NULL;
-
slapi_ch_free((void **) &req->req_pblock );
slapi_ch_free((void **) &req->req_orig_base );
slapi_filter_free(req->req_filter, 1);
--
2.9.3

1325
SOURCES/0001-Ticket-49305-Need-to-wrap-atomic-calls.patch Normal file
View file

File diff suppressed because it is too large Load diff

174
SOURCES/0002-Ticket-49165-pw_verify-did-not-handle-external-auth.patch
View file

@ -1,174 +0,0 @@
From 22f1ff8d87a7daf9fbbe2ddfbd195a6bfdae1cd6 Mon Sep 17 00:00:00 2001
From: William Brown <firstyear@redhat.com>
Date: Tue, 14 Mar 2017 14:01:33 +1000
Subject: [PATCH 3/5] Ticket 49165 pw_verify did not handle external auth
Bug Description: During the change to improve sasl and simple bind,
we externalised the backend selection outside of do_bind. In an
auto_bind scenario however, this mean the be was null, causing the
dn to always be invalidated.
Fix Description: Add a pw_validate_be_dn function, that correctly
checks if we are anonymous, a real be dn, or rootdn. This then allows
the correct authentication of autobinds.
https://pagure.io/389-ds-base/issue/49165
Author: wibrown
Review by: mreynolds (Thanks!)
(cherry picked from commit 8dbfff1ff4152afb018490886a612c448ea2a1b0)
---
ldap/servers/slapd/bind.c | 9 +++++--
ldap/servers/slapd/dn.c | 5 ++++
ldap/servers/slapd/pw_verify.c | 57 +++++++++++++++++++++++++++++++++++++--
ldap/servers/slapd/pw_verify.h | 1 +
ldap/servers/slapd/slapi-plugin.h | 9 +++++++
5 files changed, 77 insertions(+), 4 deletions(-)
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
index b4bb363..5c4fada 100644
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -656,7 +656,12 @@ do_bind( Slapi_PBlock *pb )
/* We could be serving multiple database backends. Select the appropriate one */
/* pw_verify_be_dn will select the backend we need for us. */
- rc = pw_verify_be_dn(pb, &referral);
+ if (auto_bind) {
+ /* We have no password material. We should just check who we are binding as. */
+ rc = pw_validate_be_dn(pb, &referral);
+ } else {
+ rc = pw_verify_be_dn(pb, &referral);
+ }
if (rc == SLAPI_BIND_NO_BACKEND) {
send_nobackend_ldap_result( pb );
@@ -715,7 +720,7 @@ do_bind( Slapi_PBlock *pb )
*
*/
slapi_pblock_get(pb, SLAPI_BACKEND, &be);
- if (!slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA)) {
+ if (!isroot && !slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA)) {
bind_target_entry = get_entry(pb, slapi_sdn_get_ndn(sdn));
myrc = slapi_check_account_lock(pb, bind_target_entry, pw_response_requested, 1, 1);
if (1 == myrc) { /* account is locked */
diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c
index d043f2a..fa3909f 100644
--- a/ldap/servers/slapd/dn.c
+++ b/ldap/servers/slapd/dn.c
@@ -1738,6 +1738,11 @@ slapi_dn_isroot( const char *dn )
return( rc );
}
+int32_t
+slapi_sdn_isroot(const Slapi_DN *sdn) {
+ return slapi_dn_isroot(slapi_sdn_get_ndn(sdn));
+}
+
int
slapi_is_rootdse( const char *dn )
{
diff --git a/ldap/servers/slapd/pw_verify.c b/ldap/servers/slapd/pw_verify.c
index 93e5ff3..529bb83 100644
--- a/ldap/servers/slapd/pw_verify.c
+++ b/ldap/servers/slapd/pw_verify.c
@@ -88,8 +88,61 @@ pw_verify_be_dn(Slapi_PBlock *pb, Slapi_Entry **referral)
return rc;
}
+/*
+ * Resolve the dn we have been requested to bind with and verify it's
+ * valid, and has a backend.
+ *
+ * We are checking:
+ * * is this anonymous?
+ * * is this the rootdn?
+ * * is this a real dn, which associates to a real backend.
+ *
+ * This is used in SASL autobinds, so we need to handle this validation.
+ */
+
int
-pw_verify_dn()
+pw_validate_be_dn(Slapi_PBlock *pb, Slapi_Entry **referral)
{
- return LDAP_OPERATIONS_ERROR;
+ int rc = 0;
+ Slapi_Backend *be = NULL;
+ Slapi_DN *pb_sdn;
+ struct berval *cred;
+ ber_tag_t method;
+
+
+ slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &pb_sdn);
+ slapi_pblock_get(pb, SLAPI_BIND_CREDENTIALS, &cred);
+ slapi_pblock_get(pb, SLAPI_BIND_METHOD, &method);
+
+ if (pb_sdn != NULL || cred != NULL) {
+ return LDAP_OPERATIONS_ERROR;
+ }
+
+ if (*referral) {
+ return SLAPI_BIND_REFERRAL;
+ }
+
+ /* We need a slapi_sdn_isanon? */
+ if (method == LDAP_AUTH_SIMPLE && cred->bv_len == 0) {
+ return SLAPI_BIND_ANONYMOUS;
+ }
+
+ if (slapi_sdn_isroot(pb_sdn)) {
+ /* This is a real identity */
+ return SLAPI_BIND_SUCCESS;
+ }
+
+ if (slapi_mapping_tree_select(pb, &be, referral, NULL, 0) != LDAP_SUCCESS) {
+ return SLAPI_BIND_NO_BACKEND;
+ }
+ slapi_be_Unlock(be);
+
+ slapi_pblock_set(pb, SLAPI_BACKEND, be);
+ slapi_pblock_set(pb, SLAPI_PLUGIN, be->be_database);
+ /* Make sure the result handlers are setup */
+ set_db_default_result_handlers(pb);
+
+ /* The backend associated with this identity is real. */
+
+ return SLAPI_BIND_SUCCESS;
}
diff --git a/ldap/servers/slapd/pw_verify.h b/ldap/servers/slapd/pw_verify.h
index fc34fd1..5137027 100644
--- a/ldap/servers/slapd/pw_verify.h
+++ b/ldap/servers/slapd/pw_verify.h
@@ -11,5 +11,6 @@
int pw_verify_root_dn(const char *dn, const Slapi_Value *cred);
int pw_verify_be_dn(Slapi_PBlock *pb, Slapi_Entry **referral);
+int pw_validate_be_dn(Slapi_PBlock *pb, Slapi_Entry **referral);
#endif /* _SLAPD_PW_VERIFY_H_ */
diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
index b223f65..1bd8fc8 100644
--- a/ldap/servers/slapd/slapi-plugin.h
+++ b/ldap/servers/slapd/slapi-plugin.h
@@ -3800,6 +3800,15 @@ int slapi_dn_isparent( const char *parentdn, const char *childdn );
int slapi_dn_isroot( const char *dn );
/**
+ * Determines if an SDN is the root DN.
+ *
+ * \param sdn The DN to check
+ * \return \c 1 if the DN is the root DN.
+ * \return \c 0 if the DN is not the root DN.
+ */
+int32_t slapi_sdn_isroot( const Slapi_DN *sdn );
+
+/**
* Checks if a DN is the backend suffix.
*
* \param pb A parameter block with the backend set.
--
2.9.3

286
SOURCES/0002-Ticket-49385-Fix-coverity-warnings.patch Normal file
View file

@ -0,0 +1,286 @@
From 8308e20075adacfdf1827aaa3230e503207832bc Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 2 Oct 2017 09:33:29 -0400
Subject: [PATCH] Ticket 49385 - Fix coverity warnings
Description: This fixes coverity issues found from RHEL build of 1.3.7
https://pagure.io/389-ds-base/issue/49385
Reviewed by: lkrispenz(Thanks!)
(cherry picked from commit 805e8f4d3016eb9c7906c1416482047a234d51ba)
---
ldap/servers/plugins/http/http_impl.c | 1 +
ldap/servers/plugins/replication/urp.c | 10 ++++++----
ldap/servers/plugins/syntaxes/string.c | 1 +
ldap/servers/slapd/back-ldbm/dbversion.c | 2 +-
ldap/servers/slapd/back-ldbm/index.c | 1 +
ldap/servers/slapd/conntable.c | 2 +-
ldap/servers/slapd/modify.c | 1 +
ldap/servers/slapd/plugin.c | 3 ++-
ldap/servers/slapd/referral.c | 18 +++++++++---------
ldap/servers/slapd/task.c | 8 ++++++--
ldap/servers/snmp/main.c | 13 +++++++++++--
11 files changed, 40 insertions(+), 20 deletions(-)
diff --git a/ldap/servers/plugins/http/http_impl.c b/ldap/servers/plugins/http/http_impl.c
index d8bbe38..350c839 100644
--- a/ldap/servers/plugins/http/http_impl.c
+++ b/ldap/servers/plugins/http/http_impl.c
@@ -601,6 +601,7 @@ sendPostReq(PRFileDesc *fd, const char *path, httpheader **httpheaderArray, char
if (path) {
path_len = strlen(path);
} else {
+ path = "";
path_len = 0;
}
diff --git a/ldap/servers/plugins/replication/urp.c b/ldap/servers/plugins/replication/urp.c
index 3d63c64..9534c03 100644
--- a/ldap/servers/plugins/replication/urp.c
+++ b/ldap/servers/plugins/replication/urp.c
@@ -856,7 +856,7 @@ urp_post_delete_operation(Slapi_PBlock *pb)
static int
urp_fixup_add_cenotaph (Slapi_PBlock *pb, char *sessionid, CSN *opcsn)
{
- Slapi_PBlock *add_pb = slapi_pblock_new();
+ Slapi_PBlock *add_pb;
Slapi_Entry *cenotaph = NULL;
Slapi_Entry *pre_entry = NULL;
int ret = 0;
@@ -886,6 +886,7 @@ urp_fixup_add_cenotaph (Slapi_PBlock *pb, char *sessionid, CSN *opcsn)
slapi_rdn_remove_attr (rdn, SLAPI_ATTR_UNIQUEID );
slapi_rdn_add(rdn, "cenotaphID", uniqueid);
newdn = slapi_ch_smprintf("%s,%s", slapi_rdn_get_rdn(rdn), parentdn);
+ slapi_rdn_free(&rdn);
slapi_ch_free_string(&parentdn);
/* slapi_sdn_free(&pre_sdn); */
@@ -902,6 +903,7 @@ urp_fixup_add_cenotaph (Slapi_PBlock *pb, char *sessionid, CSN *opcsn)
slapi_log_err(SLAPI_LOG_REPL, sessionid,
"urp_fixup_add_cenotaph - addinng cenotaph: %s \n", newdn);
+ add_pb = slapi_pblock_new();
slapi_pblock_init(add_pb);
slapi_add_entry_internal_set_pb(add_pb,
@@ -1661,8 +1663,8 @@ urp_conflict_to_glue (char *sessionid, const Slapi_Entry *entry, Slapi_DN *paren
"urp_conflict_to_glue failed(%d) - %s --> %s\n", op_result, basedn, newrdn);
rc = 1;
}
- slapi_ch_free ( (void**)&newrdn );
}
+ slapi_rdn_free(&parentrdn);
return rc;
}
/*
@@ -2166,11 +2168,11 @@ mod_objectclass_attr(const char *uniqueid, const Slapi_DN *entrysdn, const Slapi
{
Slapi_Mods smods;
int op_result;
- char csnstr[CSN_STRSIZE+1];
+ char csnstr[CSN_STRSIZE+1] = {0};
slapi_mods_init(&smods, 3);
slapi_mods_add(&smods, LDAP_MOD_ADD, "objectclass", strlen("ldapsubentry"),"ldapsubentry");
- slapi_mods_add(&smods, LDAP_MOD_REPLACE, "conflictcsn", strlen(csnstr),csn_as_string(opcsn, PR_FALSE, csnstr));
+ slapi_mods_add(&smods, LDAP_MOD_REPLACE, "conflictcsn", CSN_STRSIZE, csn_as_string(opcsn, PR_FALSE, csnstr));
op_result = urp_fixup_modify_entry(uniqueid, entrysdn, opcsn, &smods, 0);
slapi_mods_done(&smods);
if (op_result == LDAP_TYPE_OR_VALUE_EXISTS) {
diff --git a/ldap/servers/plugins/syntaxes/string.c b/ldap/servers/plugins/syntaxes/string.c
index f50dc13..e05ca7f 100644
--- a/ldap/servers/plugins/syntaxes/string.c
+++ b/ldap/servers/plugins/syntaxes/string.c
@@ -391,6 +391,7 @@ bailout:
if (free_re) {
slapi_re_free(re);
}
+ slapi_ch_free_string(&alt);
slapi_ch_free((void **)&tmpbuf); /* NULL is fine */
slapi_ch_free((void **)&bigpat); /* NULL is fine */
diff --git a/ldap/servers/slapd/back-ldbm/dbversion.c b/ldap/servers/slapd/back-ldbm/dbversion.c
index 01f86f4..5a77abd 100644
--- a/ldap/servers/slapd/back-ldbm/dbversion.c
+++ b/ldap/servers/slapd/back-ldbm/dbversion.c
@@ -159,7 +159,7 @@ dbversion_read(struct ldbminfo *li, const char *directory, char **ldbmversion, c
}
(void)PR_Close(prfd);
- if (*dataversion == NULL) {
+ if (dataversion == NULL || *dataversion == NULL) {
slapi_log_err(SLAPI_LOG_DEBUG, "dbversion_read", "dataversion not present in \"%s\"\n", filename);
}
if (*ldbmversion == NULL) {
diff --git a/ldap/servers/slapd/back-ldbm/index.c b/ldap/servers/slapd/back-ldbm/index.c
index 798480e..58b11ed 100644
--- a/ldap/servers/slapd/back-ldbm/index.c
+++ b/ldap/servers/slapd/back-ldbm/index.c
@@ -1063,6 +1063,7 @@ index_read_ext_allids(
/* The database might not exist. We have to assume it means empty set */
slapi_log_err(SLAPI_LOG_TRACE, "index_read_ext_allids", "Failed to access idl index for %s\n", basetype);
slapi_log_err(SLAPI_LOG_TRACE, "index_read_ext_allids", "Assuming %s has no index values\n", basetype);
+ idl_free(&idl);
idl = idl_alloc(0);
break;
} else {
diff --git a/ldap/servers/slapd/conntable.c b/ldap/servers/slapd/conntable.c
index c04ca0f..7c57b47 100644
--- a/ldap/servers/slapd/conntable.c
+++ b/ldap/servers/slapd/conntable.c
@@ -347,7 +347,7 @@ connection_table_as_entry(Connection_Table *ct, Slapi_Entry *e)
PR_EnterMonitor(ct->c[i].c_mutex);
if (ct->c[i].c_sd != SLAPD_INVALID_SOCKET) {
- char buf2[20];
+ char buf2[SLAPI_TIMESTAMP_BUFSIZE+1];
size_t lendn = ct->c[i].c_dn ? strlen(ct->c[i].c_dn) : 6; /* "NULLDN" */
size_t lenip = ct->c[i].c_ipaddr ? strlen(ct->c[i].c_ipaddr) : 0;
size_t lenconn = 1;
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
index 4b5a676..6309975 100644
--- a/ldap/servers/slapd/modify.c
+++ b/ldap/servers/slapd/modify.c
@@ -923,6 +923,7 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw)
if (pw_encodevals_ext(pb, sdn, va)) {
slapi_log_err(SLAPI_LOG_CRIT, "op_shared_modify", "Unable to hash userPassword attribute for %s.\n", slapi_entry_get_dn_const(e));
send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Unable to store attribute \"userPassword\" correctly\n", 0, NULL);
+ valuearray_free(&va);
goto free_and_return;
}
diff --git a/ldap/servers/slapd/plugin.c b/ldap/servers/slapd/plugin.c
index f47ff9b..e02133a 100644
--- a/ldap/servers/slapd/plugin.c
+++ b/ldap/servers/slapd/plugin.c
@@ -4242,7 +4242,7 @@ bail:
int
slapi_set_plugin_default_config(const char *type, Slapi_Value *value)
{
- Slapi_PBlock *pb = slapi_pblock_new();
+ Slapi_PBlock *pb;
Slapi_Entry **entries = NULL;
int rc = LDAP_SUCCESS;
char **search_attrs = NULL; /* used by search */
@@ -4251,6 +4251,7 @@ slapi_set_plugin_default_config(const char *type, Slapi_Value *value)
return rc;
}
+ pb = slapi_pblock_new();
charray_add(&search_attrs, slapi_ch_strdup(type));
/* cn=plugin default config,cn=config */
diff --git a/ldap/servers/slapd/referral.c b/ldap/servers/slapd/referral.c
index c5d9ffc..5935820 100644
--- a/ldap/servers/slapd/referral.c
+++ b/ldap/servers/slapd/referral.c
@@ -153,7 +153,7 @@ referrals_free(void)
struct berval **
ref_adjust(Slapi_PBlock *pb, struct berval **urls, const Slapi_DN *refsdn, int is_reference)
{
- int i, len, scope;
+ int i, len, scope = 0;
Slapi_DN *sdn = NULL;
char *p, *opdn_norm;
struct berval **urlscopy;
@@ -195,9 +195,9 @@ ref_adjust(Slapi_PBlock *pb, struct berval **urls, const Slapi_DN *refsdn, int i
for (i = 0; urls[i] != NULL; ++i) {
/*
- * duplicate the URL, stripping off the label if there is one and
- * leaving extra room for "??base" in case we need to append that.
- */
+ * duplicate the URL, stripping off the label if there is one and
+ * leaving extra room for "??base" in case we need to append that.
+ */
urlscopy[i] = (struct berval *)slapi_ch_malloc(
sizeof(struct berval));
if ((p = strchr(urls[i]->bv_val, ' ')) == NULL) {
@@ -210,16 +210,16 @@ ref_adjust(Slapi_PBlock *pb, struct berval **urls, const Slapi_DN *refsdn, int i
urlscopy[i]->bv_val[len] = '\0';
/*
- * adjust the baseDN as needed and set the length
- */
+ * adjust the baseDN as needed and set the length
+ */
adjust_referral_basedn(&urlscopy[i]->bv_val, refsdn,
opdn_norm, is_reference);
urlscopy[i]->bv_len = strlen(urlscopy[i]->bv_val);
/*
- * if we are dealing with a continuation reference that resulted
- * from a one-level search, add a scope of base to the URL.
- */
+ * if we are dealing with a continuation reference that resulted
+ * from a one-level search, add a scope of base to the URL.
+ */
if (is_reference && operation_get_type(op) == SLAPI_OPERATION_SEARCH &&
scope == LDAP_SCOPE_ONELEVEL) {
strcat(urlscopy[i]->bv_val, "??base");
diff --git a/ldap/servers/slapd/task.c b/ldap/servers/slapd/task.c
index f3d02d9..53a0af5 100644
--- a/ldap/servers/slapd/task.c
+++ b/ldap/servers/slapd/task.c
@@ -278,6 +278,10 @@ slapi_task_log_notice(Slapi_Task *task, char *format, ...)
char buffer[LOG_BUFFER];
size_t len;
+ if (task == NULL) {
+ return;
+ }
+
va_start(ap, format);
PR_vsnprintf(buffer, LOG_BUFFER, format, ap);
va_end(ap);
@@ -1089,11 +1093,11 @@ task_export_thread(void *arg)
slapi_pblock_get(pb, SLAPI_BACKEND_TASK, &task);
g_incr_active_threadcnt();
- for (count = 0, inp = instance_names; *inp; inp++, count++)
+ for (count = 0, inp = instance_names; inp && *inp; inp++, count++)
;
slapi_task_begin(task, count);
- for (inp = instance_names; *inp; inp++) {
+ for (inp = instance_names; inp && *inp; inp++) {
int release_me = 0;
/* lookup the backend */
be = slapi_be_select_by_instance_name((const char *)*inp);
diff --git a/ldap/servers/snmp/main.c b/ldap/servers/snmp/main.c
index 8477831..5bd318d 100644
--- a/ldap/servers/snmp/main.c
+++ b/ldap/servers/snmp/main.c
@@ -21,6 +21,7 @@
#include "ldap.h"
#include "ldif.h"
#include <ctype.h>
+#include <errno.h>
static char *agentx_master = NULL;
static char *agent_logdir = NULL;
@@ -54,9 +55,17 @@ main(int argc, char *argv[])
{
char *s = getenv("DEBUG_SLEEP");
if ((s != NULL) && isdigit(*s)) {
- int secs = atoi(s);
+ char *endp = NULL;
+ long secs;
+ errno = 0;
+
printf("%s pid is %d\n", argv[0], getpid());
- sleep(secs);
+ secs = strtol(s, &endp, 10);
+ if (*endp != '\0' || errno == ERANGE) {
+ sleep(10);
+ } else {
+ sleep(secs);
+ }
}
}
--
2.9.5

266
SOURCES/0003-Issue-49169-Fix-covscan-errors.patch
View file

@ -1,266 +0,0 @@
From 97f09918ef370c3be5aa64dcfeb3bb21e762f90d Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 14 Mar 2017 20:23:07 -0400
Subject: [PATCH 4/5] Issue 49169 - Fix covscan errors
src/libsds/bpt/map.c - resource leak
ldap/servers/slapd/vattr.c - resource leak
ldap/servers/slapd/task.c: resource leaks
ldap/servers/slapd/str2filter.c - resource leak
ldap/servers/slapd/pw.c - resource leak
ldap/servers/slapd/back-ldbm/import-threads.c - resource leak
ldap/servers/plugins/uiduniq/uid.c:536 - resource leak
ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c:164 - resource leak
ldap/servers/plugins/linkedattrs/linked_attrs.c:1672 - resource leak
ldap/servers/plugins/addn/addn.c:419
ldap/servers/slapd/ssl.c - dead code
ldap/servers/slapd/index_subsystem.c - null dereference
https://pagure.io/389-ds-base/issue/49169
Reviewed by: nkinder & wibrown(Thanks!!)
(cherry picked from commit c75126be1edece121826e336141f9b0b9c0bddfd)
---
ldap/servers/plugins/addn/addn.c | 4 +++-
ldap/servers/plugins/linkedattrs/linked_attrs.c | 2 ++
ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c | 1 +
ldap/servers/plugins/uiduniq/uid.c | 6 +++++-
ldap/servers/slapd/back-ldbm/import-threads.c | 1 +
ldap/servers/slapd/index_subsystem.c | 27 +++++++++++++------------
ldap/servers/slapd/pw.c | 1 +
ldap/servers/slapd/pw_verify.c | 1 -
ldap/servers/slapd/ssl.c | 8 +++-----
ldap/servers/slapd/str2filter.c | 1 +
ldap/servers/slapd/task.c | 3 +--
ldap/servers/slapd/vattr.c | 6 +++---
src/libsds/sds/bpt/map.c | 1 +
13 files changed, 36 insertions(+), 26 deletions(-)
diff --git a/ldap/servers/plugins/addn/addn.c b/ldap/servers/plugins/addn/addn.c
index 3abc112..6ba7833 100644
--- a/ldap/servers/plugins/addn/addn.c
+++ b/ldap/servers/plugins/addn/addn.c
@@ -415,7 +415,9 @@ addn_start(Slapi_PBlock *pb)
domain = slapi_entry_attr_get_charptr(plugin_entry, "addn_default_domain");
if (domain == NULL) {
- slapi_log_err(SLAPI_LOG_ERR, plugin_name, "addn_start: CRITICAL: No default domain in configuration, you must set addn_default_domain!\n");
+ slapi_log_err(SLAPI_LOG_ERR, plugin_name,
+ "addn_start: CRITICAL: No default domain in configuration, you must set addn_default_domain!\n");
+ slapi_ch_free((void**)&config);
return SLAPI_PLUGIN_FAILURE;
}
diff --git a/ldap/servers/plugins/linkedattrs/linked_attrs.c b/ldap/servers/plugins/linkedattrs/linked_attrs.c
index b5adb21..d046542 100644
--- a/ldap/servers/plugins/linkedattrs/linked_attrs.c
+++ b/ldap/servers/plugins/linkedattrs/linked_attrs.c
@@ -1669,6 +1669,8 @@ linked_attrs_mod_post_op(Slapi_PBlock *pb)
/* Bail out if the plug-in close function was just called. */
if (!slapi_plugin_running(pb)) {
linked_attrs_unlock();
+ slapi_mod_free(&next_mod);
+ slapi_mods_free(&smods);
return SLAPI_PLUGIN_SUCCESS;
}
diff --git a/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c b/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
index 1b3e555..b228700 100644
--- a/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
@@ -161,6 +161,7 @@ pbkdf2_sha256_pw_enc(const char *pwd)
*/
if ( pbkdf2_sha256_hash(hash + PBKDF2_ITERATIONS_LENGTH + PBKDF2_SALT_LENGTH, PBKDF2_HASH_LENGTH, &passItem, &saltItem, PBKDF2_ITERATIONS) != SECSuccess ) {
slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Could not generate pbkdf2_sha256_hash!\n");
+ slapi_ch_free_string(&enc);
return NULL;
}
diff --git a/ldap/servers/plugins/uiduniq/uid.c b/ldap/servers/plugins/uiduniq/uid.c
index ae9320e..46554b2 100644
--- a/ldap/servers/plugins/uiduniq/uid.c
+++ b/ldap/servers/plugins/uiduniq/uid.c
@@ -533,7 +533,11 @@ create_filter(const char **attributes, const struct berval *value, const char *r
/* Place value in filter */
if (ldap_quote_filter_value(value->bv_val, value->bv_len,
- fp, max-fp, &valueLen)) { slapi_ch_free((void**)&filter); return 0; }
+ fp, max-fp, &valueLen)) {
+ slapi_ch_free((void**)&filter);
+ slapi_ch_free((void**)&attrLen);
+ return 0;
+ }
fp += valueLen;
strcpy(fp, ")");
diff --git a/ldap/servers/slapd/back-ldbm/import-threads.c b/ldap/servers/slapd/back-ldbm/import-threads.c
index 5b81427..087103b 100644
--- a/ldap/servers/slapd/back-ldbm/import-threads.c
+++ b/ldap/servers/slapd/back-ldbm/import-threads.c
@@ -1647,6 +1647,7 @@ upgradedn_producer(void *param)
}
e = slapi_str2entry_ext(normdn, NULL, data.dptr,
SLAPI_STR2ENTRY_USE_OBSOLETE_DNFORMAT);
+ slapi_ch_free_string(&rdn);
}
} else {
e =
diff --git a/ldap/servers/slapd/index_subsystem.c b/ldap/servers/slapd/index_subsystem.c
index 57d4f58..8f9fe6d 100644
--- a/ldap/servers/slapd/index_subsystem.c
+++ b/ldap/servers/slapd/index_subsystem.c
@@ -185,27 +185,28 @@ static int index_subsys_index_matches_filter(indexEntry *index, Slapi_Filter *f)
*/
int index_subsys_assign_filter_decoders(Slapi_PBlock *pb)
{
- int rc;
+ int rc = 0;
Slapi_Filter *f;
char *subsystem = "index_subsys_assign_filter_decoders";
char logbuf[ 1024 ];
/* extract the filter */
slapi_pblock_get(pb, SLAPI_SEARCH_FILTER, &f);
+ if (f) {
+ if ( loglevel_is_set( LDAP_DEBUG_FILTER )) {
+ logbuf[0] = '\0';
+ slapi_log_err(SLAPI_LOG_DEBUG, subsystem, "before: %s\n",
+ slapi_filter_to_string(f, logbuf, sizeof(logbuf)));
+ }
- if ( loglevel_is_set( LDAP_DEBUG_FILTER ) && NULL != f ) {
- logbuf[0] = '\0';
- slapi_log_err(SLAPI_LOG_DEBUG, subsystem, "before: %s\n",
- slapi_filter_to_string(f, logbuf, sizeof(logbuf)));
- }
-
- /* find decoders */
- rc = index_subsys_assign_decoders(f);
+ /* find decoders */
+ rc = index_subsys_assign_decoders(f);
- if ( loglevel_is_set( LDAP_DEBUG_FILTER ) && NULL != f ) {
- logbuf[0] = '\0';
- slapi_log_err(SLAPI_LOG_DEBUG, subsystem, " after: %s\n",
- slapi_filter_to_string(f, logbuf, sizeof(logbuf)));
+ if ( loglevel_is_set( LDAP_DEBUG_FILTER )) {
+ logbuf[0] = '\0';
+ slapi_log_err(SLAPI_LOG_DEBUG, subsystem, " after: %s\n",
+ slapi_filter_to_string(f, logbuf, sizeof(logbuf)));
+ }
}
return rc;
diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
index 215c9eb..378d148 100644
--- a/ldap/servers/slapd/pw.c
+++ b/ldap/servers/slapd/pw.c
@@ -1512,6 +1512,7 @@ check_trivial_words (Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Value **vals, char
ep = sp + strlen(sp);
ep = ldap_utf8prevn(sp, ep, toklen);
if (!ep || (sp >= ep)) {
+ slapi_ch_free_string(&sp);
continue;
}
/* See if the password contains the value */
diff --git a/ldap/servers/slapd/pw_verify.c b/ldap/servers/slapd/pw_verify.c
index 529bb83..a9fd9ec 100644
--- a/ldap/servers/slapd/pw_verify.c
+++ b/ldap/servers/slapd/pw_verify.c
@@ -103,7 +103,6 @@ pw_verify_be_dn(Slapi_PBlock *pb, Slapi_Entry **referral)
int
pw_validate_be_dn(Slapi_PBlock *pb, Slapi_Entry **referral)
{
- int rc = 0;
Slapi_Backend *be = NULL;
Slapi_DN *pb_sdn;
struct berval *cred;
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index f35b3f1..050e7b5 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -1418,12 +1418,10 @@ slapd_ssl_init()
errorCode = PR_GetError();
slapd_SSL_error("Failed to retrieve SSL "
"configuration information ("
- SLAPI_COMPONENT_NAME_NSPR " error %d - %s): "
+ SLAPI_COMPONENT_NAME_NSPR " error %d - not found): "
"nssslSessionTimeout: %s ",
- errorCode, slapd_pr_strerror(errorCode),
- (val ? "found" : "not found"));
- slapi_ch_free((void **) &val);
- slapi_ch_free((void **) &ciphers);
+ errorCode, slapd_pr_strerror(errorCode));
+ slapi_ch_free((void **)&ciphers);
freeConfigEntry( &entry );
return -1;
}
diff --git a/ldap/servers/slapd/str2filter.c b/ldap/servers/slapd/str2filter.c
index ebd5c5d..744c93f 100644
--- a/ldap/servers/slapd/str2filter.c
+++ b/ldap/servers/slapd/str2filter.c
@@ -344,6 +344,7 @@ str2simple( char *str , int unescape_filter)
*endp = '\0';
rc = _parse_ext_filter(str, extp, &f->f_mr_type, &f->f_mr_oid, &f->f_mr_dnAttrs);
if (rc) {
+ slapi_filter_free(f, 1);
return NULL; /* error */
} else {
f->f_choice = LDAP_FILTER_EXTENDED;
diff --git a/ldap/servers/slapd/task.c b/ldap/servers/slapd/task.c
index ad52e9d..eabd517 100644
--- a/ldap/servers/slapd/task.c
+++ b/ldap/servers/slapd/task.c
@@ -2389,7 +2389,6 @@ task_fixup_tombstones_add(Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Entry *eAfter,
slapi_task_finish(task, *returncode);
slapi_ch_array_free(base);
slapi_ch_free((void **)&task_data);
- return SLAPI_DSE_CALLBACK_ERROR;
}
done:
@@ -2507,9 +2506,9 @@ task_des2aes(Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Entry *eAfter,
error:
if (rc == SLAPI_DSE_CALLBACK_ERROR){
slapi_ch_array_free(bases);
- slapi_ch_array_free(suffix);
slapi_ch_free((void **)&task_data);
}
+ slapi_ch_array_free(suffix);
return rc;
}
diff --git a/ldap/servers/slapd/vattr.c b/ldap/servers/slapd/vattr.c
index 34665de..599b54e 100644
--- a/ldap/servers/slapd/vattr.c
+++ b/ldap/servers/slapd/vattr.c
@@ -753,10 +753,10 @@ slapi_vattr_values_get_sp(vattr_context *c,
}
if (use_local_ctx) {
/* slapi_pblock_destroy cleans up pb_vattr_context, as well */
- slapi_pblock_destroy(local_pb);
- } else {
- vattr_context_ungrok(&c);
+ slapi_pblock_destroy(local_pb);
+ ctx->pb = NULL;
}
+ vattr_context_ungrok(&ctx);
return rc;
}
diff --git a/src/libsds/sds/bpt/map.c b/src/libsds/sds/bpt/map.c
index 4205aa5..2c3468b 100644
--- a/src/libsds/sds/bpt/map.c
+++ b/src/libsds/sds/bpt/map.c
@@ -18,6 +18,7 @@ sds_bptree_map_nodes(sds_bptree_instance *binst, sds_bptree_node *root, sds_resu
sds_bptree_node_list *tail = cur;
if (binst == NULL) {
+ sds_free(cur);
return SDS_NULL_POINTER;
}
--
2.9.3

50
SOURCES/0003-Ticket-49180-errors-log-filled-with-attrlist_replace.patch Normal file
View file

@ -0,0 +1,50 @@
From 62fbb3423b26426e735e134134ab710945514ca6 Mon Sep 17 00:00:00 2001
From: Ludwig Krispenz <lkrispen@redhat.com>
Date: Tue, 26 Sep 2017 15:51:41 +0200
Subject: [PATCH] Ticket: 49180 - errors log filled with attrlist_replace -
attr_replace
Bug: If a RUV contains the same URL with different replica IDs the created referrals contain duplicates
Fix: check duplicate referrals
Reviewed by: Mark, thanks
---
ldap/servers/plugins/replication/repl5_ruv.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/ldap/servers/plugins/replication/repl5_ruv.c b/ldap/servers/plugins/replication/repl5_ruv.c
index 40dc0928b..7bfdc3425 100644
--- a/ldap/servers/plugins/replication/repl5_ruv.c
+++ b/ldap/servers/plugins/replication/repl5_ruv.c
@@ -1386,7 +1386,17 @@ ruv_replica_count(const RUV *ruv)
* Extract all the referral URL's from the RUV (but self URL),
* returning them in an array of strings, that
* the caller must free.
+ * We also check and remove duplicates (caused by unclean RUVs)
*/
+static int
+ruv_referral_exists(unsigned char *purl, char **refs, int count)
+{
+ for (size_t j=0; j<count; j++) {
+ if (0 == slapi_utf8casecmp(purl, (unsigned char *)refs[j]))
+ return 1;
+ }
+ return 0;
+}
char **
ruv_get_referrals(const RUV *ruv)
{
@@ -1407,7 +1417,8 @@ ruv_get_referrals(const RUV *ruv)
/* Add URL into referrals if doesn't match self URL */
if ((replica->replica_purl != NULL) &&
(slapi_utf8casecmp((unsigned char *)replica->replica_purl,
- (unsigned char *)mypurl) != 0)) {
+ (unsigned char *)mypurl) != 0) &&
+ !ruv_referral_exists((unsigned char *)replica->replica_purl, r, i)) {
r[i] = slapi_ch_strdup(replica->replica_purl);
i++;
}
--
2.13.6

96
SOURCES/0004-Ticket-49171-Nunc-Stans-incorrectly-reports-a-timeou.patch
View file

@ -1,96 +0,0 @@
From 645e628626f4a3d4b662c067584b4efc6b5c70c5 Mon Sep 17 00:00:00 2001
From: William Brown <firstyear@redhat.com>
Date: Wed, 15 Mar 2017 10:46:38 +1000
Subject: [PATCH 5/5] Ticket 49171 - Nunc Stans incorrectly reports a timeout
Bug Description: In some cases nunc-stans would incorrectly report
and IO timeout.
Fix Description: Make the io output type volatile to prevent re-arranging
of the code. We then make timeout exclusive to read, write and signal.
Finally, we add an extra check into ns_handle_pr_read_ready that
asserts we truly have an idle timeout. It issues a warning now
instead if this scenario occurs, rather than closing the
connection.
https://pagure.io/389-ds-base/issue/49171
Author: wibrown
Review by: mreynolds (thanks!)
(cherry picked from commit c8ce1b32cc365174c8280111c2d55bba45f7949f)
---
ldap/servers/slapd/daemon.c | 15 +++++++++++----
src/nunc-stans/ns/ns_event_fw_event.c | 28 ++++++++++++++++------------
2 files changed, 27 insertions(+), 16 deletions(-)
diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
index a37c8c6..6b3331d 100644
--- a/ldap/servers/slapd/daemon.c
+++ b/ldap/servers/slapd/daemon.c
@@ -1970,11 +1970,18 @@ ns_handle_pr_read_ready(struct ns_job_t *job)
connection_release_nolock_ext(c, 1); /* release ref acquired when job was added */
if (CONN_NEEDS_CLOSING(c)) {
ns_handle_closure_nomutex(c);
+ /* We shouldn't need the c_idletimeout check here because of how libevent works.
+ * consider testing this and removing it oneday.
+ */
} else if (NS_JOB_IS_TIMER(ns_job_get_output_type(job))) {
- /* idle timeout */
- disconnect_server_nomutex_ext(c, c->c_connid, -1,
- SLAPD_DISCONNECT_IDLE_TIMEOUT, EAGAIN,
- 0 /* do not schedule closure, do it next */);
+ if (c->c_idletimeout > 0) {
+ /* idle timeout */
+ disconnect_server_nomutex_ext(c, c->c_connid, -1,
+ SLAPD_DISCONNECT_IDLE_TIMEOUT, EAGAIN,
+ 0 /* do not schedule closure, do it next */);
+ } else {
+ slapi_log_err(SLAPI_LOG_WARNING, "ns_handle_pr_read_ready", "Received idletime out with c->c_idletimeout as 0. Ignoring.\n");
+ }
ns_handle_closure_nomutex(c);
} else if ((connection_activity(c, maxthreads)) == -1) {
/* This might happen as a result of
diff --git a/src/nunc-stans/ns/ns_event_fw_event.c b/src/nunc-stans/ns/ns_event_fw_event.c
index 58dac28..3acbaf7 100644
--- a/src/nunc-stans/ns/ns_event_fw_event.c
+++ b/src/nunc-stans/ns/ns_event_fw_event.c
@@ -71,18 +71,22 @@ event_logger_cb(int severity, const char *msg)
static ns_job_type_t
event_flags_to_type(short events)
{
- ns_job_type_t job_type = 0;
- if (events & EV_READ) {
- job_type |= NS_JOB_READ;
- }
- if (events & EV_WRITE) {
- job_type |= NS_JOB_WRITE;
- }
- if (events & EV_TIMEOUT) {
- job_type |= NS_JOB_TIMER;
- }
- if (events & EV_SIGNAL) {
- job_type |= NS_JOB_SIGNAL;
+ /* The volatile here prevents gcc rearranging this code within the thread. */
+ volatile ns_job_type_t job_type = 0;
+
+ /* Either we timeout *or* we are a real event */
+ if (!(events & EV_TIMEOUT)) {
+ if (events & EV_READ) {
+ job_type |= NS_JOB_READ;
+ }
+ if (events & EV_WRITE) {
+ job_type |= NS_JOB_WRITE;
+ }
+ if (events & EV_SIGNAL) {
+ job_type |= NS_JOB_SIGNAL;
+ }
+ } else {
+ job_type = NS_JOB_TIMER;
}
return job_type;
}
--
2.9.3

40
SOURCES/0004-Ticket-49388-repl-monitor-matches-null-string-many-t.patch Normal file
View file

@ -0,0 +1,40 @@
From 80631ee86fa951f18ed25f61ca72734931eb5387 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 2 Oct 2017 16:19:47 -0400
Subject: [PATCH] Ticket 49388 - repl-monitor - matches null string many times
in regex
Bug Description: When using a wildcard(*) for the hostname, some of the
regex's for parsing the various configurations throws
out warnings.
Fix Description: When a wildcard is detected reset the hostnode variable
to nothing.
https://pagure.io/389-ds-base/issue/49388
Reviewed by: firstyear(Thanks!)
(cherry picked from commit 4b41a02484db645a593b9d6ac6c4e062dd374395)
---
ldap/admin/src/scripts/repl-monitor.pl.in | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/ldap/admin/src/scripts/repl-monitor.pl.in b/ldap/admin/src/scripts/repl-monitor.pl.in
index a3efa8e6e..97c1462a5 100755
--- a/ldap/admin/src/scripts/repl-monitor.pl.in
+++ b/ldap/admin/src/scripts/repl-monitor.pl.in
@@ -1053,6 +1053,10 @@ sub add_server
# Remove the domain name from the host name
my ($hostnode) = $host;
$hostnode = $1 if $host =~ /^(.+?)\./;
+ if ($hostnode eq "*") {
+ # handle wild card correctly for regex
+ $hostnode = "";
+ }
# new host:port
if (!$binddn || $binddn eq "" || $binddn eq "*" ||
--
2.13.6

36
SOURCES/0005-Issue-49169-Fix-covscan-errors-regression.patch
View file

@ -1,36 +0,0 @@
From 6dde613c1a44731e017d262c2b5868dbe333da74 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Wed, 15 Mar 2017 09:00:19 -0400
Subject: [PATCH] Issue 49169 - Fix covscan errors(regression)
Description: The change to vattr.c caused problems with the tests.
Removing change.
https://pagure.io/389-ds-base/issue/49169
Reviewed by: one line commit rule
(cherry picked from commit 314e9ecf310d4ab8e8fc700bd5d3477d52e4fa19)
---
ldap/servers/slapd/vattr.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ldap/servers/slapd/vattr.c b/ldap/servers/slapd/vattr.c
index 599b54e..ef4d7f2 100644
--- a/ldap/servers/slapd/vattr.c
+++ b/ldap/servers/slapd/vattr.c
@@ -754,9 +754,9 @@ slapi_vattr_values_get_sp(vattr_context *c,
if (use_local_ctx) {
/* slapi_pblock_destroy cleans up pb_vattr_context, as well */
slapi_pblock_destroy(local_pb);
- ctx->pb = NULL;
+ } else {
+ vattr_context_ungrok(&c);
}
- vattr_context_ungrok(&ctx);
return rc;
}
--
2.9.3

103
SOURCES/0072-Ticket-49389-unable-to-retrieve-specific-cosAttribut.patch → SOURCES/0005-Ticket-49389-unable-to-retrieve-specific-cosAttribut.patch
View file

@ -1,4 +1,4 @@
From 2741a6db134ad40662cfa0233c4542d2d4148997 Mon Sep 17 00:00:00 2001
From bb2d74ebe9d725b47e35893a2d8c8bd713d6dd4b Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 3 Oct 2017 17:22:37 -0400
Subject: [PATCH] Ticket 49389 - unable to retrieve specific cosAttribute when
@ -27,17 +27,17 @@ Reviewed by: firstyear(Thanks!)
---
dirsrvtests/tests/suites/cos/__init__.py | 0
dirsrvtests/tests/suites/cos/indirect_cos_test.py | 191 ++++++++++++++++++++++
ldap/servers/plugins/cos/cos_cache.c | 68 ++++----
3 files changed, 223 insertions(+), 36 deletions(-)
ldap/servers/plugins/cos/cos_cache.c | 2 +-
3 files changed, 192 insertions(+), 1 deletion(-)
create mode 100644 dirsrvtests/tests/suites/cos/__init__.py
create mode 100644 dirsrvtests/tests/suites/cos/indirect_cos_test.py
diff --git a/dirsrvtests/tests/suites/cos/__init__.py b/dirsrvtests/tests/suites/cos/__init__.py
new file mode 100644
index 0000000..e69de29
index 000000000..e69de29bb
diff --git a/dirsrvtests/tests/suites/cos/indirect_cos_test.py b/dirsrvtests/tests/suites/cos/indirect_cos_test.py
new file mode 100644
index 0000000..1aac6b8
index 000000000..1aac6b8ed
--- /dev/null
+++ b/dirsrvtests/tests/suites/cos/indirect_cos_test.py
@@ -0,0 +1,191 @@
@ -233,90 +233,25 @@ index 0000000..1aac6b8
+ pytest.main("-s %s" % CURRENT_FILE)
+
diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c
index 66c6c7f..87d4890 100644
index c7897ba05..9ae15db15 100644
--- a/ldap/servers/plugins/cos/cos_cache.c
+++ b/ldap/servers/plugins/cos/cos_cache.c
@@ -2190,48 +2190,44 @@ bail:
static int cos_cache_vattr_types(vattr_sp_handle *handle,Slapi_Entry *e,
vattr_type_list_context *type_context,int flags)
{
- int ret = 0;
- int index = 0;
- cosCache *pCache;
- char *lastattr = "thisisfakeforcos";
- int props = 0;
-
- slapi_log_err(SLAPI_LOG_TRACE, COS_PLUGIN_SUBSYSTEM, "--> cos_cache_vattr_types\n");
-
- if(cos_cache_getref((cos_cache **)&pCache) < 1)
- {
- /* problems we are hosed */
- slapi_log_err(SLAPI_LOG_PLUGIN, COS_PLUGIN_SUBSYSTEM, "cos_cache_vattr_types - Failed to get class of service reference\n");
- goto bail;
- }
-
- while(index < pCache->attrCount )
- {
- if(slapi_utf8casecmp(
- (unsigned char *)pCache->ppAttrIndex[index]->pAttrName,
- (unsigned char *)lastattr))
- {
- lastattr = pCache->ppAttrIndex[index]->pAttrName;
+ int ret = 0;
+ int index = 0;
+ cosCache *pCache;
+ char *lastattr = "thisisfakeforcos";
@@ -2094,7 +2094,6 @@ cos_cache_vattr_types(vattr_sp_handle *handle __attribute__((unused)),
int index = 0;
cosCache *pCache;
char *lastattr = "thisisfakeforcos";
- int props = 0;
- if(1 == cos_cache_query_attr(pCache, NULL, e, lastattr, NULL, NULL,
- NULL, &props, NULL))
- {
- /* entry contains this attr */
- vattr_type_thang thang = {0};
+ slapi_log_err(SLAPI_LOG_TRACE, COS_PLUGIN_SUBSYSTEM, "--> cos_cache_vattr_types\n");
slapi_log_err(SLAPI_LOG_TRACE, COS_PLUGIN_SUBSYSTEM, "--> cos_cache_vattr_types\n");
- thang.type_name = lastattr;
- thang.type_flags = props;
+ if (cos_cache_getref((cos_cache **)&pCache) < 1) {
+ /* problems we are hosed */
+ slapi_log_err(SLAPI_LOG_PLUGIN, COS_PLUGIN_SUBSYSTEM, "cos_cache_vattr_types - Failed to get class of service reference\n");
+ goto bail;
+ }
@@ -2105,6 +2104,7 @@ cos_cache_vattr_types(vattr_sp_handle *handle __attribute__((unused)),
}
- slapi_vattrspi_add_type(type_context,&thang,0);
- }
- }
- index++;
- }
- cos_cache_release(pCache);
+ while (index < pCache->attrCount) {
while (index < pCache->attrCount) {
+ int props = 0;
+ if (slapi_utf8casecmp(
+ (unsigned char *)pCache->ppAttrIndex[index]->pAttrName,
+ (unsigned char *)lastattr)) {
+ lastattr = pCache->ppAttrIndex[index]->pAttrName;
+
+ if (1 == cos_cache_query_attr(pCache, NULL, e, lastattr, NULL, NULL,
+ NULL, &props, NULL)) {
+ /* entry contains this attr */
+ vattr_type_thang thang = {0};
+
+ thang.type_name = lastattr;
+ thang.type_flags = props;
+
+ slapi_vattrspi_add_type(type_context, &thang, 0);
+ }
+ }
+ index++;
+ }
+ cos_cache_release(pCache);
bail:
-slapi_log_err(SLAPI_LOG_TRACE, COS_PLUGIN_SUBSYSTEM, "<-- cos_cache_vattr_types\n");
+ slapi_log_err(SLAPI_LOG_TRACE, COS_PLUGIN_SUBSYSTEM, "<-- cos_cache_vattr_types\n");
return ret;
}
if (slapi_utf8casecmp(
(unsigned char *)pCache->ppAttrIndex[index]->pAttrName,
(unsigned char *)lastattr)) {
--
2.9.5
2.13.6

29
SOURCES/0006-Issue-49062-Reset-agmt-update-staus-and-total-init
View file

@ -1,29 +0,0 @@
From 310b8f8b3c59423b9dfa3a6ea30f4a719f342fc9 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Wed, 1 Mar 2017 10:56:40 -0500
Subject: [PATCH] Issue 49062 - Reset agmt update staus and total init
Description: Make sure we always reset the agmt status after doing a reinit
https://pagure.io/389-ds-base/issue/49062
Reviewed by: tbordaz & nhosoi(Thanks!!)
---
ldap/servers/plugins/replication/repl5_tot_protocol.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/ldap/servers/plugins/replication/repl5_tot_protocol.c b/ldap/servers/plugins/replication/repl5_tot_protocol.c
index 57d9de2..45a084a 100644
--- a/ldap/servers/plugins/replication/repl5_tot_protocol.c
+++ b/ldap/servers/plugins/replication/repl5_tot_protocol.c
@@ -591,6 +591,7 @@ retry:
"\"%s\". Sent %lu entries.\n",
agmt_get_long_name(prp->agmt), cb_data.num_entries);
agmt_set_last_init_status(prp->agmt, 0, 0, 0, "Total update succeeded");
+ agmt_set_last_update_status(prp->agmt, 0, 0, NULL);
}
done:
--
2.9.3

111
SOURCES/0006-Ticket-49320-Activating-already-active-role-returns-.patch Normal file
View file

@ -0,0 +1,111 @@
From 50d62b6d5ea69e5cad6359dbd1dccb09fcfa1a6b Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 3 Oct 2017 09:51:53 -0400
Subject: [PATCH] Ticket 49320 - Activating already active role returns error
16
Bug Description: ns-activate.pl returns error 16 when trying to activate an
already active role.
Fix Description: Check for error 16 (no such attr), and return error 100.
Also added a "redirect"otion to the ldapmod function to
hide any errors printed to STDERR, so that the script can
display its own error message.
https://pagure.io/389-ds-base/issue/49320
Reviewed by: firstyear(Thanks!)
(cherry picked from commit 406084847f29aa44ffd81de746770aeff6b67c61)
---
ldap/admin/src/scripts/DSUtil.pm.in | 18 +++++++++++-------
ldap/admin/src/scripts/ns-activate.pl.in | 9 ++++++++-
2 files changed, 19 insertions(+), 8 deletions(-)
diff --git a/ldap/admin/src/scripts/DSUtil.pm.in b/ldap/admin/src/scripts/DSUtil.pm.in
index 805a9b91d..791464d0a 100644
--- a/ldap/admin/src/scripts/DSUtil.pm.in
+++ b/ldap/admin/src/scripts/DSUtil.pm.in
@@ -1447,6 +1447,10 @@ sub ldapmod {
close (FILE);
}
+ if ($info{redirect} eq ""){
+ $info{redirect} = "> /dev/null";
+ }
+
#
# Check the protocol, and reset it if it's invalid
#
@@ -1470,9 +1474,9 @@ sub ldapmod {
print "STARTTLS)\n";
}
if($info{openldap} eq "yes"){
- system "ldapmodify -x -ZZ -h $info{host} -p $info{port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" > /dev/null";
+ system "ldapmodify -x -ZZ -h $info{host} -p $info{port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" $info{redirect}";
} else {
- system "ldapmodify -ZZZ -P \"$info{certdir}\" -h $info{host} -p $info{port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" > /dev/null";
+ system "ldapmodify -ZZZ -P \"$info{certdir}\" -h $info{host} -p $info{port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" $info{redirect}";
}
} elsif (($info{security} eq "on" && $info{protocol} eq "") || ($info{security} eq "on" && $info{protocol} =~ m/LDAPS/i) ){
#
@@ -1482,9 +1486,9 @@ sub ldapmod {
print "LDAPS)\n";
}
if($info{openldap} eq "yes"){
- system "ldapmodify -x -H \"ldaps://$info{host}:$info{secure_port}\" -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" > /dev/null";
+ system "ldapmodify -x -H \"ldaps://$info{host}:$info{secure_port}\" -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" $info{redirect}";
} else {
- system "ldapmodify -Z -P \"$info{certdir}\" -p $info{secure_port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" > /dev/null";
+ system "ldapmodify -Z -P \"$info{certdir}\" -p $info{secure_port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" $info{redirect}";
}
} elsif (($info{openldap} eq "yes") && (($info{ldapi} eq "on" && $info{protocol} eq "") || ($info{ldapi} eq "on" && $info{protocol} =~ m/LDAPI/i)) ){
#
@@ -1499,7 +1503,7 @@ sub ldapmod {
if($protocol_error eq "yes"){
print "LDAPI)\n";
}
- system "ldapmodify -x -H \"$info{ldapiURL}\" -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" > /dev/null";
+ system "ldapmodify -x -H \"$info{ldapiURL}\" -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" $info{redirect}";
}
} else {
#
@@ -1509,9 +1513,9 @@ sub ldapmod {
print "LDAP)\n";
}
if($info{openldap} eq "yes"){
- system "ldapmodify -x -h $info{host} -p $info{port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" > /dev/null";
+ system "ldapmodify -x -h $info{host} -p $info{port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" $info{redirect}";
} else {
- system "ldapmodify -h $info{host} -p $info{port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" > /dev/null";
+ system "ldapmodify -h $info{host} -p $info{port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" $info{redirect}";
}
}
unlink ($file);
diff --git a/ldap/admin/src/scripts/ns-activate.pl.in b/ldap/admin/src/scripts/ns-activate.pl.in
index 5922c9aab..bec19c8e7 100644
--- a/ldap/admin/src/scripts/ns-activate.pl.in
+++ b/ldap/admin/src/scripts/ns-activate.pl.in
@@ -731,11 +731,18 @@ if ( $single == 1 ){
}
$info{args} = "-c";
+$info{redirect} = "> /dev/null 2>&1";
DSUtil::ldapmod($record, %info);
if( $? != 0 ){
debug("delete, $entry\n");
$retCode=$?>>8;
- exit $retCode;
+ if ($retCode == "16") { # Error 16 (no such attr) - already activated
+ out("$entry already $state.\n");
+ exit 100;
+ } else {
+ out("Failed to activate $entry, error $retCode\n");
+ exit $retCode;
+ }
}
out("$entry $state.\n");
--
2.13.6

174
SOURCES/0007-Issue-49065-dbmon.sh-fails-if-you-have-nsslapd-requi.patch
View file

@ -1,174 +0,0 @@
From edf3d210e9ba9006f87e0597b052fa925c68ddc2 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 20 Mar 2017 17:35:10 -0400
Subject: [PATCH] Issue 49065 - dbmon.sh fails if you have
nsslapd-require-secure-binds enabled
Description: Add the ability to detect if security is enabled, if so connect using
start TLS. Added a new param SERVID for specifying which instance
you want to look at.
https://pagure.io/389-ds-base/issue/49065
Reviewed by: firstyear(Thanks!)
---
Makefile.am | 2 +-
ldap/admin/src/scripts/{dbmon.sh => dbmon.sh.in} | 62 ++++++++++++++++++++++--
man/man8/dbmon.sh.8 | 14 +++---
3 files changed, 65 insertions(+), 13 deletions(-)
rename ldap/admin/src/scripts/{dbmon.sh => dbmon.sh.in} (81%)
mode change 100755 => 100644
diff --git a/Makefile.am b/Makefile.am
index 9aebb6b..4a4b2d3 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -235,7 +235,7 @@ CLEANFILES = dberrstrs.h ns-slapd.properties \
ldap/admin/src/scripts/usn-tombstone-cleanup.pl ldap/admin/src/scripts/verify-db.pl \
ldap/admin/src/scripts/ds_selinux_port_query ldap/admin/src/scripts/ds_selinux_enabled \
ldap/admin/src/scripts/dbverify ldap/admin/src/scripts/readnsstate \
- doxyfile.stamp \
+ doxyfile.stamp ldap/admin/src/scripts/dbmon.sh \
$(NULL)
clean-local:
diff --git a/ldap/admin/src/scripts/dbmon.sh b/ldap/admin/src/scripts/dbmon.sh.in
old mode 100755
new mode 100644
similarity index 81%
rename from ldap/admin/src/scripts/dbmon.sh
rename to ldap/admin/src/scripts/dbmon.sh.in
index 3b8b4d1..4ee6adc
--- a/ldap/admin/src/scripts/dbmon.sh
+++ b/ldap/admin/src/scripts/dbmon.sh.in
@@ -8,10 +8,11 @@
# END COPYRIGHT BLOCK
#
+. @datadir@/@package_name@/data/DSSharedLib
+
DURATION=${DURATION:-0}
INCR=${INCR:-1}
-HOST=${HOST:-localhost}
-PORT=${PORT:-389}
+SERVID=${SERVID}
BINDDN=${BINDDN:-"cn=directory manager"}
BINDPW=${BINDPW:-"secret"}
DBLIST=${DBLIST:-all}
@@ -180,10 +181,63 @@ parseldif() {
}
dodbmon() {
+ initfile=$(get_init_file "@initconfigdir@" $SERVID)
+ if [ $? -eq 1 ]
+ then
+ echo "You must supply a valid server instance identifier (via SERVID)."
+ echo "Available instances: $initfile"
+ exit 1
+ fi
+
+ . $initfile
+
+ process_dse $CONFIG_DIR $$
+ file="/tmp/DSSharedLib.$$"
+ port=$(grep -i 'nsslapd-port' $file | awk '{print $2}' )
+ host=$(grep -i 'nsslapd-localhost' $file | awk '{print $2}' )
+ security=$(grep -i 'nsslapd-security' $file | awk '{print $2}' )
+ certdir=$(grep -i 'nsslapd-certdir' $file | awk '{print $2}' )
+ rm $file
+
+ if [ -n "$ldapiURL" ]
+ then
+ ldapiURL=`echo "$ldapiURL" | sed -e 's/\//%2f/g'`
+ ldapiURL="ldapi://"$ldapiURL
+ fi
+
+ client_type=`ldapsearch -V 2>&1`;
+ echo "$client_type" | grep -q "OpenLDAP"
+ if [ $? -eq 0 ]
+ then
+ openldap="yes"
+ export LDAPTLS_CACERTDIR=$certdir
+ fi
+
+ if [ -z $security ]; then
+ security="off"
+ fi
+
while [ 1 ] ; do
date
- ldapsearch -xLLL -h $HOST -p $PORT -D "$BINDDN" -w "$BINDPW" -b "$ldbmdn" '(|(cn=config)(cn=database)(cn=monitor))' \
- | parseldif
+ if [ "$security" = "on" ]; then
+ # STARTTLS
+ if [ "$openldap" = "yes" ]; then
+ ldapsearch -x -LLL -ZZ -h $host -p $port -D "$BINDDN" -w "$BINDPW" -b "$ldbmdn" '(|(cn=config)(cn=database)(cn=monitor))' \
+ | parseldif
+ else
+ ldapsearch -ZZZ -P $certdir -h $host -p $port -D "$BINDDN" -w "$BINDPW" -b "$ldbmdn" '(|(cn=config)(cn=database)(cn=monitor))' \
+ | parseldif
+ fi
+ else
+ # LDAP
+ if [ "$openldap" = "yes" ]; then
+ ldapsearch -x -LLL -h $host -p $port -D "$BINDDN" -w "$BINDPW" -b "$ldbmdn" '(|(cn=config)(cn=database)(cn=monitor))' \
+ | parseldif
+ else
+ ldapsearch -h $host -p $port -D "$BINDDN" -w "$BINDPW" -b "$ldbmdn" '(|(cn=config)(cn=database)(cn=monitor))' \
+ | parseldif
+ fi
+ fi
echo ""
sleep $INCR
done
diff --git a/man/man8/dbmon.sh.8 b/man/man8/dbmon.sh.8
index 49e61d0..ad318a1 100644
--- a/man/man8/dbmon.sh.8
+++ b/man/man8/dbmon.sh.8
@@ -2,7 +2,7 @@
.\" First parameter, NAME, should be all caps
.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
.\" other parameters are allowed: see man(7), man(1)
-.TH DBMON.SH 8 "Jul 25, 2014"
+.TH DBMON.SH 8 "Mar 20, 2017"
.\" Please adjust this date whenever revising the manpage.
.\"
.\" Some roff macros, for reference:
@@ -18,7 +18,7 @@
.SH NAME
dbmon.sh - Directory Server script for monitoring database and entry cache usage
.SH SYNOPSIS
-[INCR=num] [HOST=hostname] [PORT=num] [BINDDN=binddn] [BINDPW=password] [DBLIST=databases] [INDEXLIST=indexes] [VERBOSE=num] dbmon.sh
+[INCR=num] [SERVID=server_id][BINDDN=binddn] [BINDPW=password] [DBLIST=databases] [INDEXLIST=indexes] [VERBOSE=num] dbmon.sh
.SH DESCRIPTION
dbmon.sh is a tool used to monitor database and entry cache usage. It is especially useful for database cache and entry/dn cache tuning - how much space is left, is the cache full, how much space on average do I need per entry/dn.
.SH OPTIONS
@@ -31,9 +31,7 @@ All arguments are optional, but you will most likely have to provide BINDPW
.TP
.B \fBINCR\fR - show results every INCR seconds - default is 1 second
.TP
-.B \fBHOST\fR - name of host or IP address - default is "localhost"
-.TP
-.B \fBPORT\fR - port number (LDAP not LDAPS) - default is 389
+.B \fBSERVID\fR - Name of the server instance
.TP
.B \fBBINDDN\fR - DN to use to bind - must have permission to read everything under cn=config - default is cn=Directory Manager
.TP
@@ -46,11 +44,11 @@ All arguments are optional, but you will most likely have to provide BINDPW
.B \fBVERBOSE\fR - output level - 0 == suitable for parsing by a script - 1 == has column headings - 2 == provides detailed descriptions of the data - default is 0
.SH EXAMPLE
-INCR=1 HOST=ldap.example.com BINDDN="cn=directory manager" BINDPW="secret" VERBOSE=2 dbmon.sh
+INCR=1 SERVID=slapd-localhost BINDDN="cn=directory manager" BINDPW="secret" VERBOSE=2 dbmon.sh
.SH AUTHOR
dbmon.sh was written by the 389 Project.
.SH "REPORTING BUGS"
-Report bugs to https://fedorahosted.org/389/newticket.
+Report bugs to https://pagure.io/389-ds-base/new_issue
.SH COPYRIGHT
-Copyright \(co 2014 Red Hat, Inc.
+Copyright \(co 2017 Red Hat, Inc.
--
2.9.3

914
SOURCES/0007-Ticket-48235-Remove-memberOf-global-lock.patch Normal file
View file

@ -0,0 +1,914 @@
From cbe71d7e4901232eaa423b9dc55dba9401c05bec Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Fri, 13 Oct 2017 07:09:08 -0400
Subject: [PATCH] Ticket 48235 - Remove memberOf global lock
Bug Description: The memberOf global lock no longer servers a purpose since
the plugin is BETXN. This was causing potential deadlocks
when multiple backends are used.
Fix Description: Remove the lock, and rework the fixup/ancestors caches/hashtables.
Instead of reusing a single cache, we create a fresh cache
when we copy the plugin config (which only happens at the start
of an operation). Then we destroy the caches when we free
the config.
https://pagure.io/389-ds-base/issue/48235
Reviewed by: firstyear & tbordaz(Thanks!!)
(cherry picked from commit 184b8a164f4ed456c72d58038aa9a0d512be61fa)
---
ldap/servers/plugins/memberof/memberof.c | 326 +++---------------------
ldap/servers/plugins/memberof/memberof.h | 17 ++
ldap/servers/plugins/memberof/memberof_config.c | 166 +++++++++++-
3 files changed, 210 insertions(+), 299 deletions(-)
diff --git a/ldap/servers/plugins/memberof/memberof.c b/ldap/servers/plugins/memberof/memberof.c
index a0f997ddf..a23c52abe 100644
--- a/ldap/servers/plugins/memberof/memberof.c
+++ b/ldap/servers/plugins/memberof/memberof.c
@@ -48,14 +48,11 @@ static Slapi_PluginDesc pdesc = {"memberof", VENDOR,
static void *_PluginID = NULL;
static Slapi_DN *_ConfigAreaDN = NULL;
static Slapi_RWLock *config_rwlock = NULL;
-static Slapi_DN *_pluginDN = NULL;
-static PRMonitor *memberof_operation_lock = 0;
+static Slapi_DN* _pluginDN = NULL;
MemberOfConfig *qsortConfig = 0;
static int usetxn = 0;
static int premodfn = 0;
-#define MEMBEROF_HASHTABLE_SIZE 1000
-static PLHashTable *fixup_entry_hashtable = NULL; /* global hash table protected by memberof_lock (memberof_operation_lock) */
-static PLHashTable *group_ancestors_hashtable = NULL; /* global hash table protected by memberof_lock (memberof_operation_lock) */
+
typedef struct _memberofstringll
{
@@ -73,18 +70,6 @@ typedef struct _memberof_get_groups_data
PRBool use_cache;
} memberof_get_groups_data;
-/* The key to access the hash table is the normalized DN
- * The normalized DN is stored in the value because:
- * - It is used in slapi_valueset_find
- * - It is used to fill the memberof_get_groups_data.group_norm_vals
- */
-typedef struct _memberof_cached_value
-{
- char *key;
- char *group_dn_val;
- char *group_ndn_val;
- int valid;
-} memberof_cached_value;
struct cache_stat
{
int total_lookup;
@@ -164,14 +149,9 @@ static int memberof_fix_memberof_callback(Slapi_Entry *e, void *callback_data);
static int memberof_entry_in_scope(MemberOfConfig *config, Slapi_DN *sdn);
static int memberof_add_objectclass(char *auto_add_oc, const char *dn);
static int memberof_add_memberof_attr(LDAPMod **mods, const char *dn, char *add_oc);
-static PLHashTable *hashtable_new();
-static void fixup_hashtable_empty(char *msg);
-static PLHashTable *hashtable_new();
-static void ancestor_hashtable_empty(char *msg);
-static void ancestor_hashtable_entry_free(memberof_cached_value *entry);
-static memberof_cached_value *ancestors_cache_lookup(const char *ndn);
-static PRBool ancestors_cache_remove(const char *ndn);
-static PLHashEntry *ancestors_cache_add(const void *key, void *value);
+static memberof_cached_value *ancestors_cache_lookup(MemberOfConfig *config, const char *ndn);
+static PRBool ancestors_cache_remove(MemberOfConfig *config, const char *ndn);
+static PLHashEntry *ancestors_cache_add(MemberOfConfig *config, const void *key, void *value);
/*** implementation ***/
@@ -344,11 +324,6 @@ memberof_postop_start(Slapi_PBlock *pb)
slapi_log_err(SLAPI_LOG_TRACE, MEMBEROF_PLUGIN_SUBSYSTEM,
"--> memberof_postop_start\n");
- memberof_operation_lock = PR_NewMonitor();
- if (0 == memberof_operation_lock) {
- rc = -1;
- goto bail;
- }
if (config_rwlock == NULL) {
if ((config_rwlock = slapi_new_rwlock()) == NULL) {
rc = -1;
@@ -356,9 +331,6 @@ memberof_postop_start(Slapi_PBlock *pb)
}
}
- fixup_entry_hashtable = hashtable_new();
- group_ancestors_hashtable = hashtable_new();
-
/* Set the alternate config area if one is defined. */
slapi_pblock_get(pb, SLAPI_PLUGIN_CONFIG_AREA, &config_area);
if (config_area) {
@@ -413,13 +385,13 @@ memberof_postop_start(Slapi_PBlock *pb)
goto bail;
}
-/*
+ /*
* TODO: start up operation actor thread
* need to get to a point where server failure
- * or shutdown doesn't hose our operations
- * so we should create a task entry that contains
+ * or shutdown doesn't hose our operations
+ * so we should create a task entry that contains
* all required information to complete the operation
- * then the tasks can be restarted safely if
+ * then the tasks can be restarted safely if
* interrupted
*/
@@ -451,18 +423,7 @@ memberof_postop_close(Slapi_PBlock *pb __attribute__((unused)))
slapi_sdn_free(&_pluginDN);
slapi_destroy_rwlock(config_rwlock);
config_rwlock = NULL;
- PR_DestroyMonitor(memberof_operation_lock);
- memberof_operation_lock = NULL;
-
- if (fixup_entry_hashtable) {
- fixup_hashtable_empty("memberof_postop_close empty fixup_entry_hastable");
- PL_HashTableDestroy(fixup_entry_hashtable);
- }
- if (group_ancestors_hashtable) {
- ancestor_hashtable_empty("memberof_postop_close empty group_ancestors_hashtable");
- PL_HashTableDestroy(group_ancestors_hashtable);
- }
slapi_log_err(SLAPI_LOG_TRACE, MEMBEROF_PLUGIN_SUBSYSTEM,
"<-- memberof_postop_close\n");
return 0;
@@ -524,7 +485,7 @@ memberof_postop_del(Slapi_PBlock *pb)
{
int ret = SLAPI_PLUGIN_SUCCESS;
MemberOfConfig *mainConfig = NULL;
- MemberOfConfig configCopy = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
+ MemberOfConfig configCopy = {0};
Slapi_DN *sdn;
void *caller_id = NULL;
@@ -553,9 +514,6 @@ memberof_postop_del(Slapi_PBlock *pb)
memberof_copy_config(&configCopy, memberof_get_config());
memberof_unlock_config();
- /* get the memberOf operation lock */
- memberof_lock();
-
/* remove this DN from the
* membership lists of groups
*/
@@ -563,7 +521,6 @@ memberof_postop_del(Slapi_PBlock *pb)
slapi_log_err(SLAPI_LOG_ERR, MEMBEROF_PLUGIN_SUBSYSTEM,
"memberof_postop_del - Error deleting dn (%s) from group. Error (%d)\n",
slapi_sdn_get_dn(sdn), ret);
- memberof_unlock();
goto bail;
}
@@ -583,7 +540,6 @@ memberof_postop_del(Slapi_PBlock *pb)
}
}
}
- memberof_unlock();
bail:
memberof_free_config(&configCopy);
}
@@ -776,7 +732,7 @@ memberof_call_foreach_dn(Slapi_PBlock *pb __attribute__((unused)), Slapi_DN *sdn
memberof_cached_value *ht_grp = NULL;
const char *ndn = slapi_sdn_get_ndn(sdn);
- ht_grp = ancestors_cache_lookup((const void *)ndn);
+ ht_grp = ancestors_cache_lookup(config, (const void *)ndn);
if (ht_grp) {
#if MEMBEROF_CACHE_DEBUG
slapi_log_err(SLAPI_LOG_PLUGIN, MEMBEROF_PLUGIN_SUBSYSTEM, "memberof_call_foreach_dn: Ancestors of %s already cached (%x)\n", ndn, ht_grp);
@@ -918,7 +874,7 @@ memberof_postop_modrdn(Slapi_PBlock *pb)
if (memberof_oktodo(pb)) {
MemberOfConfig *mainConfig = 0;
- MemberOfConfig configCopy = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
+ MemberOfConfig configCopy = {0};
struct slapi_entry *pre_e = NULL;
struct slapi_entry *post_e = NULL;
Slapi_DN *pre_sdn = 0;
@@ -944,8 +900,6 @@ memberof_postop_modrdn(Slapi_PBlock *pb)
goto bail;
}
- memberof_lock();
-
/* update any downstream members */
if (pre_sdn && post_sdn && configCopy.group_filter &&
0 == slapi_filter_test_simple(post_e, configCopy.group_filter)) {
@@ -1010,7 +964,6 @@ memberof_postop_modrdn(Slapi_PBlock *pb)
}
}
}
- memberof_unlock();
bail:
memberof_free_config(&configCopy);
}
@@ -1166,7 +1119,7 @@ memberof_postop_modify(Slapi_PBlock *pb)
if (memberof_oktodo(pb)) {
int config_copied = 0;
MemberOfConfig *mainConfig = 0;
- MemberOfConfig configCopy = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
+ MemberOfConfig configCopy = {0};
/* get the mod set */
slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods);
@@ -1209,8 +1162,6 @@ memberof_postop_modify(Slapi_PBlock *pb)
if (interested) {
int op = slapi_mod_get_operation(smod);
- memberof_lock();
-
/* the modify op decides the function */
switch (op & ~LDAP_MOD_BVALUES) {
case LDAP_MOD_ADD: {
@@ -1221,7 +1172,6 @@ memberof_postop_modify(Slapi_PBlock *pb)
"Error (%d)\n",
slapi_sdn_get_dn(sdn), ret);
slapi_mod_done(next_mod);
- memberof_unlock();
goto bail;
}
break;
@@ -1239,7 +1189,6 @@ memberof_postop_modify(Slapi_PBlock *pb)
"Error (%d)\n",
slapi_sdn_get_dn(sdn), ret);
slapi_mod_done(next_mod);
- memberof_unlock();
goto bail;
}
} else {
@@ -1250,7 +1199,6 @@ memberof_postop_modify(Slapi_PBlock *pb)
"Error (%d)\n",
slapi_sdn_get_dn(sdn), ret);
slapi_mod_done(next_mod);
- memberof_unlock();
goto bail;
}
}
@@ -1265,7 +1213,6 @@ memberof_postop_modify(Slapi_PBlock *pb)
"Error (%d)\n",
slapi_sdn_get_dn(sdn), ret);
slapi_mod_done(next_mod);
- memberof_unlock();
goto bail;
}
break;
@@ -1280,8 +1227,6 @@ memberof_postop_modify(Slapi_PBlock *pb)
break;
}
}
-
- memberof_unlock();
}
slapi_mod_done(next_mod);
@@ -1336,7 +1281,7 @@ memberof_postop_add(Slapi_PBlock *pb)
if (memberof_oktodo(pb) && (sdn = memberof_getsdn(pb))) {
struct slapi_entry *e = NULL;
- MemberOfConfig configCopy = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
+ MemberOfConfig configCopy = {0};
MemberOfConfig *mainConfig;
slapi_pblock_get(pb, SLAPI_ENTRY_POST_OP, &e);
@@ -1361,8 +1306,6 @@ memberof_postop_add(Slapi_PBlock *pb)
int i = 0;
Slapi_Attr *attr = 0;
- memberof_lock();
-
for (i = 0; configCopy.groupattrs && configCopy.groupattrs[i]; i++) {
if (0 == slapi_entry_attr_find(e, configCopy.groupattrs[i], &attr)) {
if ((ret = memberof_add_attr_list(pb, &configCopy, sdn, attr))) {
@@ -1373,8 +1316,6 @@ memberof_postop_add(Slapi_PBlock *pb)
}
}
}
-
- memberof_unlock();
memberof_free_config(&configCopy);
}
}
@@ -2094,7 +2035,7 @@ dump_cache_entry(memberof_cached_value *double_check, const char *msg)
* the firsts elements of the array has 'valid=1' and the dn/ndn of group it belong to
*/
static void
-cache_ancestors(Slapi_Value **member_ndn_val, memberof_get_groups_data *groups)
+cache_ancestors(MemberOfConfig *config, Slapi_Value **member_ndn_val, memberof_get_groups_data *groups)
{
Slapi_ValueSet *groupvals = *((memberof_get_groups_data *)groups)->groupvals;
Slapi_Value *sval;
@@ -2191,14 +2132,14 @@ cache_ancestors(Slapi_Value **member_ndn_val, memberof_get_groups_data *groups)
#if MEMBEROF_CACHE_DEBUG
dump_cache_entry(cache_entry, key);
#endif
- if (ancestors_cache_add((const void *)key_copy, (void *)cache_entry) == NULL) {
- slapi_log_err(SLAPI_LOG_FATAL, MEMBEROF_PLUGIN_SUBSYSTEM, "cache_ancestors: Failed to cache ancestor of %s\n", key);
+ if (ancestors_cache_add(config, (const void*) key_copy, (void *) cache_entry) == NULL) {
+ slapi_log_err( SLAPI_LOG_FATAL, MEMBEROF_PLUGIN_SUBSYSTEM, "cache_ancestors: Failed to cache ancestor of %s\n", key);
ancestor_hashtable_entry_free(cache_entry);
- slapi_ch_free((void **)&cache_entry);
+ slapi_ch_free ((void**)&cache_entry);
return;
}
#if MEMBEROF_CACHE_DEBUG
- if (double_check = ancestors_cache_lookup((const void *)key)) {
+ if (double_check = ancestors_cache_lookup(config, (const void*) key)) {
dump_cache_entry(double_check, "read back");
}
#endif
@@ -2283,8 +2224,7 @@ memberof_get_groups_r(MemberOfConfig *config, Slapi_DN *member_sdn, memberof_get
merge_ancestors(&member_ndn_val, &member_data, data);
if (!cached && member_data.use_cache)
- cache_ancestors(&member_ndn_val, &member_data);
-
+ cache_ancestors(config, &member_ndn_val, &member_data);
slapi_value_free(&member_ndn_val);
slapi_valueset_free(groupvals);
@@ -2825,49 +2765,10 @@ memberof_qsort_compare(const void *a, const void *b)
val1, val2);
}
-/* betxn: This locking mechanism is necessary to guarantee the memberof
- * consistency */
-void
-memberof_lock()
-{
- if (usetxn) {
- PR_EnterMonitor(memberof_operation_lock);
- }
- if (fixup_entry_hashtable) {
- fixup_hashtable_empty("memberof_lock");
- }
- if (group_ancestors_hashtable) {
- ancestor_hashtable_empty("memberof_lock empty group_ancestors_hashtable");
- memset(&cache_stat, 0, sizeof(cache_stat));
- }
-}
-
-void
-memberof_unlock()
-{
- if (group_ancestors_hashtable) {
- ancestor_hashtable_empty("memberof_unlock empty group_ancestors_hashtable");
-#if MEMBEROF_CACHE_DEBUG
- slapi_log_err(SLAPI_LOG_FATAL, MEMBEROF_PLUGIN_SUBSYSTEM, "cache statistics: total lookup %d (success %d), add %d, remove %d, enum %d\n",
- cache_stat.total_lookup, cache_stat.successfull_lookup,
- cache_stat.total_add, cache_stat.total_remove, cache_stat.total_enumerate);
- slapi_log_err(SLAPI_LOG_FATAL, MEMBEROF_PLUGIN_SUBSYSTEM, "cache statistics duration: lookup %ld, add %ld, remove %ld, enum %ld\n",
- cache_stat.cumul_duration_lookup, cache_stat.cumul_duration_add,
- cache_stat.cumul_duration_remove, cache_stat.cumul_duration_enumerate);
-#endif
- }
- if (fixup_entry_hashtable) {
- fixup_hashtable_empty("memberof_lock");
- }
- if (usetxn) {
- PR_ExitMonitor(memberof_operation_lock);
- }
-}
-
void
memberof_fixup_task_thread(void *arg)
{
- MemberOfConfig configCopy = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
+ MemberOfConfig configCopy = {0};
Slapi_Task *task = (Slapi_Task *)arg;
task_data *td = NULL;
int rc = 0;
@@ -2933,9 +2834,6 @@ memberof_fixup_task_thread(void *arg)
/* do real work */
rc = memberof_fix_memberof(&configCopy, task, td);
- /* release the memberOf operation lock */
- memberof_unlock();
-
done:
if (usetxn && fixup_pb) {
if (rc) { /* failed */
@@ -3100,7 +2998,7 @@ memberof_fix_memberof(MemberOfConfig *config, Slapi_Task *task, task_data *td)
}
static memberof_cached_value *
-ancestors_cache_lookup(const char *ndn)
+ancestors_cache_lookup(MemberOfConfig *config, const char *ndn)
{
memberof_cached_value *e;
#if defined(DEBUG) && defined(HAVE_CLOCK_GETTIME)
@@ -3118,7 +3016,7 @@ ancestors_cache_lookup(const char *ndn)
}
#endif
- e = (memberof_cached_value *)PL_HashTableLookupConst(group_ancestors_hashtable, (const void *)ndn);
+ e = (memberof_cached_value *) PL_HashTableLookupConst(config->ancestors_cache, (const void *) ndn);
#if defined(DEBUG) && defined(HAVE_CLOCK_GETTIME)
if (start) {
@@ -3133,7 +3031,7 @@ ancestors_cache_lookup(const char *ndn)
return e;
}
static PRBool
-ancestors_cache_remove(const char *ndn)
+ancestors_cache_remove(MemberOfConfig *config, const char *ndn)
{
PRBool rc;
#if defined(DEBUG) && defined(HAVE_CLOCK_GETTIME)
@@ -3151,7 +3049,8 @@ ancestors_cache_remove(const char *ndn)
}
#endif
- rc = PL_HashTableRemove(group_ancestors_hashtable, (const void *)ndn);
+
+ rc = PL_HashTableRemove(config->ancestors_cache, (const void *)ndn);
#if defined(DEBUG) && defined(HAVE_CLOCK_GETTIME)
if (start) {
@@ -3164,7 +3063,7 @@ ancestors_cache_remove(const char *ndn)
}
static PLHashEntry *
-ancestors_cache_add(const void *key, void *value)
+ancestors_cache_add(MemberOfConfig *config, const void *key, void *value)
{
PLHashEntry *e;
#if defined(DEBUG) && defined(HAVE_CLOCK_GETTIME)
@@ -3181,7 +3080,7 @@ ancestors_cache_add(const void *key, void *value)
}
#endif
- e = PL_HashTableAdd(group_ancestors_hashtable, key, value);
+ e = PL_HashTableAdd(config->ancestors_cache, key, value);
#if defined(DEBUG) && defined(HAVE_CLOCK_GETTIME)
if (start) {
@@ -3211,7 +3110,6 @@ memberof_fix_memberof_callback(Slapi_Entry *e, void *callback_data)
const char *ndn;
char *dn_copy;
-
/*
* If the server is ordered to shutdown, stop the fixup and return an error.
*/
@@ -3222,7 +3120,7 @@ memberof_fix_memberof_callback(Slapi_Entry *e, void *callback_data)
/* Check if the entry has not already been fixed */
ndn = slapi_sdn_get_ndn(sdn);
- if (ndn && fixup_entry_hashtable && PL_HashTableLookupConst(fixup_entry_hashtable, (void *)ndn)) {
+ if (ndn && config->fixup_cache && PL_HashTableLookupConst(config->fixup_cache, (void *)ndn)) {
slapi_log_err(SLAPI_LOG_PLUGIN, MEMBEROF_PLUGIN_SUBSYSTEM, "memberof_fix_memberof_callback: Entry %s already fixed up\n", ndn);
goto bail;
}
@@ -3240,12 +3138,13 @@ memberof_fix_memberof_callback(Slapi_Entry *e, void *callback_data)
* so free this memory
*/
ndn = slapi_sdn_get_ndn(sdn);
+
#if MEMBEROF_CACHE_DEBUG
slapi_log_err(SLAPI_LOG_PLUGIN, MEMBEROF_PLUGIN_SUBSYSTEM, "memberof_fix_memberof_callback: This is NOT a group %s\n", ndn);
#endif
- ht_grp = ancestors_cache_lookup((const void *)ndn);
+ ht_grp = ancestors_cache_lookup(config, (const void *)ndn);
if (ht_grp) {
- if (ancestors_cache_remove((const void *)ndn)) {
+ if (ancestors_cache_remove(config, (const void *)ndn)) {
slapi_log_err(SLAPI_LOG_PLUGIN, MEMBEROF_PLUGIN_SUBSYSTEM, "memberof_fix_memberof_callback: free cached values for %s\n", ndn);
ancestor_hashtable_entry_free(ht_grp);
slapi_ch_free((void **)&ht_grp);
@@ -3297,11 +3196,11 @@ memberof_fix_memberof_callback(Slapi_Entry *e, void *callback_data)
slapi_valueset_free(groups);
/* records that this entry has been fixed up */
- if (fixup_entry_hashtable) {
+ if (config->fixup_cache) {
dn_copy = slapi_ch_strdup(ndn);
- if (PL_HashTableAdd(fixup_entry_hashtable, dn_copy, dn_copy) == NULL) {
+ if (PL_HashTableAdd(config->fixup_cache, dn_copy, dn_copy) == NULL) {
slapi_log_err(SLAPI_LOG_FATAL, MEMBEROF_PLUGIN_SUBSYSTEM, "memberof_fix_memberof_callback: "
- "failed to add dn (%s) in the fixup hashtable; NSPR error - %d\n",
+ "failed to add dn (%s) in the fixup hashtable; NSPR error - %d\n",
dn_copy, PR_GetError());
slapi_ch_free((void **)&dn_copy);
/* let consider this as not a fatal error, it just skip an optimization */
@@ -3397,157 +3296,8 @@ memberof_add_objectclass(char *auto_add_oc, const char *dn)
return rc;
}
-static PRIntn
-memberof_hash_compare_keys(const void *v1, const void *v2)
-{
- PRIntn rc;
- if (0 == strcasecmp((const char *)v1, (const char *)v2)) {
- rc = 1;
- } else {
- rc = 0;
- }
- return rc;
-}
-
-static PRIntn
-memberof_hash_compare_values(const void *v1, const void *v2)
-{
- PRIntn rc;
- if ((char *)v1 == (char *)v2) {
- rc = 1;
- } else {
- rc = 0;
- }
- return rc;
-}
-
-/*
- * Hashing function using Bernstein's method
- */
-static PLHashNumber
-memberof_hash_fn(const void *key)
-{
- PLHashNumber hash = 5381;
- unsigned char *x = (unsigned char *)key;
- int c;
-
- while ((c = *x++)) {
- hash = ((hash << 5) + hash) ^ c;
- }
- return hash;
-}
-
-/* allocates the plugin hashtable
- * This hash table is used by operation and is protected from
- * concurrent operations with the memberof_lock (if not usetxn, memberof_lock
- * is not implemented and the hash table will be not used.
- *
- * The hash table contains all the DN of the entries for which the memberof
- * attribute has been computed/updated during the current operation
- *
- * hash table should be empty at the beginning and end of the plugin callback
- */
-static PLHashTable *
-hashtable_new()
-{
- if (!usetxn) {
- return NULL;
- }
-
- return PL_NewHashTable(MEMBEROF_HASHTABLE_SIZE,
- memberof_hash_fn,
- memberof_hash_compare_keys,
- memberof_hash_compare_values, NULL, NULL);
-}
-/* this function called for each hash node during hash destruction */
-static PRIntn
-fixup_hashtable_remove(PLHashEntry *he, PRIntn index __attribute__((unused)), void *arg __attribute__((unused)))
-{
- char *dn_copy;
-
- if (he == NULL) {
- return HT_ENUMERATE_NEXT;
- }
- dn_copy = (char *)he->value;
- slapi_ch_free_string(&dn_copy);
-
- return HT_ENUMERATE_REMOVE;
-}
-
-static void
-fixup_hashtable_empty(char *msg)
-{
- if (fixup_entry_hashtable) {
- PL_HashTableEnumerateEntries(fixup_entry_hashtable, fixup_hashtable_remove, msg);
- }
-}
-
-
-/* allocates the plugin hashtable
- * This hash table is used by operation and is protected from
- * concurrent operations with the memberof_lock (if not usetxn, memberof_lock
- * is not implemented and the hash table will be not used.
- *
- * The hash table contains all the DN of the entries for which the memberof
- * attribute has been computed/updated during the current operation
- *
- * hash table should be empty at the beginning and end of the plugin callback
- */
-
-static void
-ancestor_hashtable_entry_free(memberof_cached_value *entry)
-{
- int i;
- for (i = 0; entry[i].valid; i++) {
- slapi_ch_free((void **)&entry[i].group_dn_val);
- slapi_ch_free((void **)&entry[i].group_ndn_val);
- }
- /* Here we are at the ending element containing the key */
- slapi_ch_free((void **)&entry[i].key);
-}
-/* this function called for each hash node during hash destruction */
-static PRIntn
-ancestor_hashtable_remove(PLHashEntry *he, PRIntn index __attribute__((unused)), void *arg __attribute__((unused)))
-{
- memberof_cached_value *group_ancestor_array;
-
- if (he == NULL) {
- return HT_ENUMERATE_NEXT;
- }
-
-
- group_ancestor_array = (memberof_cached_value *)he->value;
- ancestor_hashtable_entry_free(group_ancestor_array);
- slapi_ch_free((void **)&group_ancestor_array);
-
- return HT_ENUMERATE_REMOVE;
-}
-
-static void
-ancestor_hashtable_empty(char *msg)
+int
+memberof_use_txn()
{
-#if defined(DEBUG) && defined(HAVE_CLOCK_GETTIME)
- long int start;
- struct timespec tsnow;
-#endif
-
- if (group_ancestors_hashtable) {
- cache_stat.total_enumerate++;
-#if defined(DEBUG) && defined(HAVE_CLOCK_GETTIME)
- if (clock_gettime(CLOCK_REALTIME, &tsnow) != 0) {
- start = 0;
- } else {
- start = tsnow.tv_nsec;
- }
-#endif
- PL_HashTableEnumerateEntries(group_ancestors_hashtable, ancestor_hashtable_remove, msg);
-
-#if defined(DEBUG) && defined(HAVE_CLOCK_GETTIME)
- if (start) {
- if (clock_gettime(CLOCK_REALTIME, &tsnow) == 0) {
- cache_stat.cumul_duration_enumerate += (tsnow.tv_nsec - start);
- }
- }
-#endif
- }
+ return usetxn;
}
diff --git a/ldap/servers/plugins/memberof/memberof.h b/ldap/servers/plugins/memberof/memberof.h
index 4833ce221..ba64e9dfa 100644
--- a/ldap/servers/plugins/memberof/memberof.h
+++ b/ldap/servers/plugins/memberof/memberof.h
@@ -64,8 +64,22 @@ typedef struct memberofconfig
int skip_nested;
int fixup_task;
char *auto_add_oc;
+ PLHashTable *ancestors_cache;
+ PLHashTable *fixup_cache;
} MemberOfConfig;
+/* The key to access the hash table is the normalized DN
+ * The normalized DN is stored in the value because:
+ * - It is used in slapi_valueset_find
+ * - It is used to fill the memberof_get_groups_data.group_norm_vals
+ */
+typedef struct _memberof_cached_value
+{
+ char *key;
+ char *group_dn_val;
+ char *group_ndn_val;
+ int valid;
+} memberof_cached_value;
/*
* functions
@@ -89,5 +103,8 @@ int memberof_apply_config(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entr
void *memberof_get_plugin_id(void);
void memberof_release_config(void);
PRUint64 get_plugin_started(void);
+void ancestor_hashtable_entry_free(memberof_cached_value *entry);
+PLHashTable *hashtable_new();
+int memberof_use_txn();
#endif /* _MEMBEROF_H_ */
diff --git a/ldap/servers/plugins/memberof/memberof_config.c b/ldap/servers/plugins/memberof/memberof_config.c
index c5ca4b137..3f22d95d6 100644
--- a/ldap/servers/plugins/memberof/memberof_config.c
+++ b/ldap/servers/plugins/memberof/memberof_config.c
@@ -14,12 +14,12 @@
* memberof_config.c - configuration-related code for memberOf plug-in
*
*/
-
+#include "plhash.h"
#include <plstr.h>
-
#include "memberof.h"
#define MEMBEROF_CONFIG_FILTER "(objectclass=*)"
+#define MEMBEROF_HASHTABLE_SIZE 1000
/*
* The configuration attributes are contained in the plugin entry e.g.
@@ -34,14 +34,16 @@
/*
* function prototypes
*/
-static int memberof_validate_config(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry *e, int *returncode, char *returntext, void *arg);
-static int
-memberof_search(Slapi_PBlock *pb __attribute__((unused)),
- Slapi_Entry *entryBefore __attribute__((unused)),
- Slapi_Entry *e __attribute__((unused)),
- int *returncode __attribute__((unused)),
- char *returntext __attribute__((unused)),
- void *arg __attribute__((unused)))
+static void fixup_hashtable_empty( MemberOfConfig *config, char *msg);
+static void ancestor_hashtable_empty(MemberOfConfig *config, char *msg);
+static int memberof_validate_config (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry* e,
+ int *returncode, char *returntext, void *arg);
+static int memberof_search (Slapi_PBlock *pb __attribute__((unused)),
+ Slapi_Entry* entryBefore __attribute__((unused)),
+ Slapi_Entry* e __attribute__((unused)),
+ int *returncode __attribute__((unused)),
+ char *returntext __attribute__((unused)),
+ void *arg __attribute__((unused)))
{
return SLAPI_DSE_CALLBACK_OK;
}
@@ -52,7 +54,7 @@ memberof_search(Slapi_PBlock *pb __attribute__((unused)),
/* This is the main configuration which is updated from dse.ldif. The
* config will be copied when it is used by the plug-in to prevent it
* being changed out from under a running memberOf operation. */
-static MemberOfConfig theConfig = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
+static MemberOfConfig theConfig = {0};
static Slapi_RWLock *memberof_config_lock = 0;
static int inited = 0;
@@ -693,6 +695,13 @@ void
memberof_copy_config(MemberOfConfig *dest, MemberOfConfig *src)
{
if (dest && src) {
+
+ /* Allocate our caches here since we only copy the config at the start of an op */
+ if (memberof_use_txn() == 1){
+ dest->ancestors_cache = hashtable_new();
+ dest->fixup_cache = hashtable_new();
+ }
+
/* Check if the copy is already up to date */
if (src->groupattrs) {
int i = 0, j = 0;
@@ -787,6 +796,14 @@ memberof_free_config(MemberOfConfig *config)
slapi_ch_free_string(&config->memberof_attr);
memberof_free_scope(&(config->entryScopes), &config->entryScopeCount);
memberof_free_scope(&(config->entryScopeExcludeSubtrees), &config->entryExcludeScopeCount);
+ if (config->fixup_cache) {
+ fixup_hashtable_empty(config, "memberof_free_config empty fixup_entry_hastable");
+ PL_HashTableDestroy(config->fixup_cache);
+ }
+ if (config->ancestors_cache) {
+ ancestor_hashtable_empty(config, "memberof_free_config empty group_ancestors_hashtable");
+ PL_HashTableDestroy(config->ancestors_cache);
+ }
}
}
@@ -982,3 +999,130 @@ bail:
return ret;
}
+
+
+static PRIntn memberof_hash_compare_keys(const void *v1, const void *v2)
+{
+ PRIntn rc;
+ if (0 == strcasecmp((const char *) v1, (const char *) v2)) {
+ rc = 1;
+ } else {
+ rc = 0;
+ }
+ return rc;
+}
+
+static PRIntn memberof_hash_compare_values(const void *v1, const void *v2)
+{
+ PRIntn rc;
+ if ((char *) v1 == (char *) v2) {
+ rc = 1;
+ } else {
+ rc = 0;
+ }
+ return rc;
+}
+
+/*
+ * Hashing function using Bernstein's method
+ */
+static PLHashNumber memberof_hash_fn(const void *key)
+{
+ PLHashNumber hash = 5381;
+ unsigned char *x = (unsigned char *)key;
+ int c;
+
+ while ((c = *x++)){
+ hash = ((hash << 5) + hash) ^ c;
+ }
+ return hash;
+}
+
+/* allocates the plugin hashtable
+ * This hash table is used by operation and is protected from
+ * concurrent operations with the memberof_lock (if not usetxn, memberof_lock
+ * is not implemented and the hash table will be not used.
+ *
+ * The hash table contains all the DN of the entries for which the memberof
+ * attribute has been computed/updated during the current operation
+ *
+ * hash table should be empty at the beginning and end of the plugin callback
+ */
+PLHashTable *hashtable_new(int usetxn)
+{
+ if (!usetxn) {
+ return NULL;
+ }
+
+ return PL_NewHashTable(MEMBEROF_HASHTABLE_SIZE,
+ memberof_hash_fn,
+ memberof_hash_compare_keys,
+ memberof_hash_compare_values, NULL, NULL);
+}
+
+/* this function called for each hash node during hash destruction */
+static PRIntn fixup_hashtable_remove(PLHashEntry *he, PRIntn index __attribute__((unused)), void *arg __attribute__((unused)))
+{
+ char *dn_copy;
+
+ if (he == NULL) {
+ return HT_ENUMERATE_NEXT;
+ }
+ dn_copy = (char*) he->value;
+ slapi_ch_free_string(&dn_copy);
+
+ return HT_ENUMERATE_REMOVE;
+}
+
+static void fixup_hashtable_empty(MemberOfConfig *config, char *msg)
+{
+ if (config->fixup_cache) {
+ PL_HashTableEnumerateEntries(config->fixup_cache, fixup_hashtable_remove, msg);
+ }
+}
+
+
+/* allocates the plugin hashtable
+ * This hash table is used by operation and is protected from
+ * concurrent operations with the memberof_lock (if not usetxn, memberof_lock
+ * is not implemented and the hash table will be not used.
+ *
+ * The hash table contains all the DN of the entries for which the memberof
+ * attribute has been computed/updated during the current operation
+ *
+ * hash table should be empty at the beginning and end of the plugin callback
+ */
+
+void ancestor_hashtable_entry_free(memberof_cached_value *entry)
+{
+ int i;
+
+ for (i = 0; entry[i].valid; i++) {
+ slapi_ch_free((void **) &entry[i].group_dn_val);
+ slapi_ch_free((void **) &entry[i].group_ndn_val);
+ }
+ /* Here we are at the ending element containing the key */
+ slapi_ch_free((void**) &entry[i].key);
+}
+
+/* this function called for each hash node during hash destruction */
+static PRIntn ancestor_hashtable_remove(PLHashEntry *he, PRIntn index __attribute__((unused)), void *arg __attribute__((unused)))
+{
+ memberof_cached_value *group_ancestor_array;
+
+ if (he == NULL) {
+ return HT_ENUMERATE_NEXT;
+ }
+ group_ancestor_array = (memberof_cached_value *) he->value;
+ ancestor_hashtable_entry_free(group_ancestor_array);
+ slapi_ch_free((void **)&group_ancestor_array);
+
+ return HT_ENUMERATE_REMOVE;
+}
+
+static void ancestor_hashtable_empty(MemberOfConfig *config, char *msg)
+{
+ if (config->ancestors_cache) {
+ PL_HashTableEnumerateEntries(config->ancestors_cache, ancestor_hashtable_remove, msg);
+ }
+}
--
2.13.6

157
SOURCES/0008-Issue-49095-targetattr-wildcard-evaluation-is-incorr.patch
View file

@ -1,157 +0,0 @@
From abc9ff876209819c8f0dd7e799f1ab6a1b084fe5 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 20 Mar 2017 15:08:45 -0400
Subject: [PATCH] Issue 49095 - targetattr wildcard evaluation is incorrectly
case sensitive
Description: When processing an aci that uses a wildcard targetattr, the
comparision should be done using case insensitive functions.
https://pagure.io/389-ds-base/issue/49095
Reviewed by: firstyear(Thanks!)
---
dirsrvtests/tests/tickets/ticket49095_test.py | 85 +++++++++++++++++++++++++++
ldap/servers/plugins/acl/acl.c | 10 ++--
2 files changed, 90 insertions(+), 5 deletions(-)
create mode 100644 dirsrvtests/tests/tickets/ticket49095_test.py
diff --git a/dirsrvtests/tests/tickets/ticket49095_test.py b/dirsrvtests/tests/tickets/ticket49095_test.py
new file mode 100644
index 0000000..04f92b2
--- /dev/null
+++ b/dirsrvtests/tests/tickets/ticket49095_test.py
@@ -0,0 +1,85 @@
+import time
+import ldap
+import logging
+import pytest
+from lib389 import DirSrv, Entry, tools, tasks
+from lib389.tools import DirSrvTools
+from lib389._constants import *
+from lib389.properties import *
+from lib389.tasks import *
+from lib389.utils import *
+from lib389.topologies import topology_st as topo
+
+DEBUGGING = os.getenv("DEBUGGING", default=False)
+if DEBUGGING:
+ logging.getLogger(__name__).setLevel(logging.DEBUG)
+else:
+ logging.getLogger(__name__).setLevel(logging.INFO)
+log = logging.getLogger(__name__)
+
+USER_DN = 'uid=testuser,dc=example,dc=com'
+acis = ['(targetattr != "tele*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)',
+ '(targetattr != "TELE*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)',
+ '(targetattr != "telephonenum*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)',
+ '(targetattr != "TELEPHONENUM*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)']
+
+
+def test_ticket49095(topo):
+ """Check that target attrbiutes with wildcards are case insensitive
+ """
+
+ # Add an entry
+ try:
+ topo.standalone.add_s(Entry((USER_DN, {
+ 'objectclass': 'top extensibleObject'.split(),
+ 'uid': 'testuser',
+ 'telephonenumber': '555-555-5555'
+ })))
+ except ldap.LDAPError as e:
+ log.fatal('Failed to add test user: ' + e.message['desc'])
+ assert False
+
+ for aci in acis:
+ # Add ACI
+ try:
+ topo.standalone.modify_s(DEFAULT_SUFFIX,
+ [(ldap.MOD_REPLACE, 'aci', aci)])
+
+ except ldap.LDAPError as e:
+ log.fatal('Failed to set aci: ' + aci + ': ' + e.message['desc'])
+ assert False
+
+ # Set Anonymous Bind to test aci
+ try:
+ topo.standalone.simple_bind_s("", "")
+ except ldap.LDAPError as e:
+ log.fatal('Failed to bind anonymously: ' + e.message['desc'])
+ assert False
+
+ # Search for entry - should not get any results
+ try:
+ entry = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_BASE,
+ 'telephonenumber=*')
+ if entry:
+ log.fatal('The entry was incorrectly returned')
+ assert False
+ except ldap.LDAPError as e:
+ log.fatal('Failed to search anonymously: ' + e.message['desc'])
+ assert False
+
+ # Set root DN Bind so we can update aci's
+ try:
+ topo.standalone.simple_bind_s(DN_DM, PASSWORD)
+ except ldap.LDAPError as e:
+ log.fatal('Failed to bind anonymously: ' + e.message['desc'])
+ assert False
+
+ log.info("Test Passed")
+
+
+if __name__ == '__main__':
+ # Run isolated
+ # -s for DEBUG mode
+ CURRENT_FILE = os.path.realpath(__file__)
+ pytest.main("-s %s" % CURRENT_FILE)
+
diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c
index 0a93808..48b8efc 100644
--- a/ldap/servers/plugins/acl/acl.c
+++ b/ldap/servers/plugins/acl/acl.c
@@ -3407,19 +3407,19 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match)
}
/* this assumes that str and the filter components are already
- * normalized. If not, it shoul be done
+ * normalized. If not, it should be done
*/
if ( initial != NULL) {
len = strlen(initial);
if (exact_match) {
- int rc = strncmp(p, initial, len);
+ int rc = strncasecmp(p, initial, len);
if (rc) {
return ACL_FALSE;
} else {
p += len;
}
} else {
- p = strstr(p, initial);
+ p = strcasestr(p, initial);
if (p) {
p += len;
} else {
@@ -3430,7 +3430,7 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match)
if ( any != NULL) {
for (i = 0; any && any[i] != NULL; i++) {
- p = strstr(p, any[i]);
+ p = strcasestr(p, any[i]);
if (p) {
p += strlen(any[i]);
} else {
@@ -3444,7 +3444,7 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match)
len = strlen(final);
tlen = strlen(p);
if (len > tlen) return ACL_FALSE;
- if (strcmp(p+tlen-len, final)) return ACL_FALSE;
+ if (strcasecmp(p+tlen-len, final)) return ACL_FALSE;
}
return ACL_TRUE;
--
2.9.3

47
SOURCES/0008-Ticket-48235-remove-memberof-lock-cherry-pick-error.patch Normal file
View file

@ -0,0 +1,47 @@
From 23a82820bce65653f96450fcc410706fa555fbfd Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 16 Oct 2017 10:44:29 -0400
Subject: [PATCH] Ticket 48235 - remove memberof lock (cherry-pick error)
Description: Fix cherry-pick error
https://pagure.io/389-ds-base/issue/48235
Reviewed by: mreynolds(one line commit rule)
(cherry picked from commit 3eb443b0ee11f3cf642ebfbcd135868a72ce39da)
---
ldap/servers/plugins/memberof/memberof.c | 3 ---
ldap/servers/plugins/memberof/memberof.h | 2 --
2 files changed, 5 deletions(-)
diff --git a/ldap/servers/plugins/memberof/memberof.c b/ldap/servers/plugins/memberof/memberof.c
index a23c52abe..bae242c81 100644
--- a/ldap/servers/plugins/memberof/memberof.c
+++ b/ldap/servers/plugins/memberof/memberof.c
@@ -2828,9 +2828,6 @@ memberof_fixup_task_thread(void *arg)
}
}
- /* get the memberOf operation lock */
- memberof_lock();
-
/* do real work */
rc = memberof_fix_memberof(&configCopy, task, td);
diff --git a/ldap/servers/plugins/memberof/memberof.h b/ldap/servers/plugins/memberof/memberof.h
index ba64e9dfa..cf028453c 100644
--- a/ldap/servers/plugins/memberof/memberof.h
+++ b/ldap/servers/plugins/memberof/memberof.h
@@ -88,8 +88,6 @@ int memberof_config(Slapi_Entry *config_e, Slapi_PBlock *pb);
void memberof_copy_config(MemberOfConfig *dest, MemberOfConfig *src);
void memberof_free_config(MemberOfConfig *config);
MemberOfConfig *memberof_get_config(void);
-void memberof_lock(void);
-void memberof_unlock(void);
void memberof_rlock_config(void);
void memberof_wlock_config(void);
void memberof_unlock_config(void);
--
2.13.6

75
SOURCES/0009-Issue-49157-ds-logpipe.py-crashes-for-non-existing-u.patch
View file

@ -1,75 +0,0 @@
From e33f58d5a9984fd5d5533425fb420d05e6484d7f Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 20 Mar 2017 15:29:48 -0400
Subject: [PATCH] Issue 49157 - ds-logpipe.py crashes for non-existing users
Description: Added try/except's for various OS function calls, as the tool
should gracefully exit when there is a problem and not crash
https://pagure.io/389-ds-base/issue/49157
Reviewed by: firstyear(Thanks!)
---
ldap/admin/src/scripts/ds-logpipe.py | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)
diff --git a/ldap/admin/src/scripts/ds-logpipe.py b/ldap/admin/src/scripts/ds-logpipe.py
index 4ba4d1b..dc1856a 100644
--- a/ldap/admin/src/scripts/ds-logpipe.py
+++ b/ldap/admin/src/scripts/ds-logpipe.py
@@ -262,7 +262,8 @@ def parse_options():
options, logfname = parse_options()
-if options.debug: debug = True
+if options.debug:
+ debug = True
if len(plgfuncs) == 0:
plgfuncs.append(defaultplugin)
@@ -270,9 +271,15 @@ if len(plgpostfuncs) == 0:
plgpostfuncs.append(defaultpost)
if options.user:
- try: userid = int(options.user)
- except ValueError: # not a numeric userid - look it up
- userid = pwd.getpwnam(options.user)[2]
+ try:
+ userid = int(options.user)
+ except ValueError: # not a numeric userid - look it up
+ try:
+ userid = pwd.getpwnam(options.user)[2]
+ except Exception as e:
+ print("Failed to lookup name (%s) error: %s" %
+ (options.user, str(e)))
+ sys.exit(1)
os.seteuid(userid)
if options.scriptpidfile:
@@ -298,8 +305,12 @@ except OSError as e:
if e.errno == errno.ENOENT:
if debug:
print("Creating log pipe", logfname)
- os.mkfifo(logfname)
- os.chmod(logfname, 0o600)
+ try:
+ os.mkfifo(logfname)
+ os.chmod(logfname, 0o600)
+ except Exception as e:
+ print("Failed to create log pipe: " + str(e))
+ sys.exit(1)
else:
raise Exception("%s [%d]" % (e.strerror, e.errno))
@@ -393,7 +404,7 @@ while not done:
else: # we read something
# pipe closed - usually when server shuts down
done = True
-
+
if not done and debug:
print("log pipe", logfname, "closed - reopening - read", totallines, "total lines")
--
2.9.3

703
SOURCES/0009-Ticket-49394-slapi_pblock_get-may-leave-unchanged-th.patch Normal file
View file

@ -0,0 +1,703 @@
From 0b58d1a62679c3961bc41e03591c4277fb9f183e Mon Sep 17 00:00:00 2001
From: Thierry Bordaz <tbordaz@redhat.com>
Date: Thu, 5 Oct 2017 12:50:50 +0200
Subject: [PATCH] Ticket 49394 - slapi_pblock_get may leave unchanged the
provided variable
Bug Description:
Since 1.3.6.4 the pblock struct is a split in sub-structs
(https://pagure.io/389-ds-base/issue/49097)
Before, it was a quite flat calloc struct and any slapi-pblock-get
retrieved the field (NULL if not previously slapi_pblock_set) and
assigned the provided variable.
Now, the sub-struct are allocated on demand (slapi_pblock_set).
If a substruct that contains the requested field is not allocated the
provided variable is unchanged.
This is a change of behavior, because a uninitialized local variable can
get random value (stack) if the lookup field/struct has not been set.
Fix Description:
Update slapi_pblock_set so that it systematically sets the
provided variable when those substructs are NULL
pb_mr
pb_dse
pb_task
pb_misc
pb_intop
pb_intplugin
pb_deprecated
https://pagure.io/389-ds-base/issue/49394
Reviewed by: Mark Reynolds, William Brown
Platforms tested: F23
Flag Day: no
Doc impact: no
---
ldap/servers/slapd/pblock.c | 166 +++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 165 insertions(+), 1 deletion(-)
diff --git a/ldap/servers/slapd/pblock.c b/ldap/servers/slapd/pblock.c
index 077684d23..8f87de5b5 100644
--- a/ldap/servers/slapd/pblock.c
+++ b/ldap/servers/slapd/pblock.c
@@ -379,6 +379,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_BACKEND_COUNT:
if (pblock->pb_misc != NULL) {
(*(int *)value) = pblock->pb_misc->pb_backend_count;
+ } else {
+ (*(int *)value) = 0;
}
break;
case SLAPI_BE_TYPE:
@@ -616,6 +618,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_REQUESTOR_ISROOT:
if (pblock->pb_intop != NULL) {
(*(int *)value) = pblock->pb_intop->pb_requestor_isroot;
+ } else {
+ (*(int *)value) = 0;
}
break;
case SLAPI_SKIP_MODIFIED_ATTRS:
@@ -657,6 +661,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_DESTROY_CONTENT:
if (pblock->pb_deprecated != NULL) {
(*(int *)value) = pblock->pb_deprecated->pb_destroy_content;
+ } else {
+ (*(int *)value) = 0;
}
break;
@@ -685,16 +691,22 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_PLUGIN_OPRETURN:
if (pblock->pb_intop != NULL) {
(*(int *)value) = pblock->pb_intop->pb_opreturn;
+ } else {
+ (*(int *)value) = 0;
}
break;
case SLAPI_PLUGIN_OBJECT:
if (pblock->pb_intplugin != NULL) {
(*(void **)value) = pblock->pb_intplugin->pb_object;
+ } else {
+ (*(void **)value) = NULL;
}
break;
case SLAPI_PLUGIN_DESTROY_FN:
if (pblock->pb_intplugin != NULL) {
(*(IFP *)value) = pblock->pb_intplugin->pb_destroy_fn;
+ } else {
+ (*(IFP *)value) = NULL;
}
break;
case SLAPI_PLUGIN_DESCRIPTION:
@@ -703,11 +715,15 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_PLUGIN_IDENTITY:
if (pblock->pb_intplugin != NULL) {
(*(void **)value) = pblock->pb_intplugin->pb_plugin_identity;
+ } else {
+ (*(void **)value) = NULL;
}
break;
case SLAPI_PLUGIN_CONFIG_AREA:
if (pblock->pb_intplugin != NULL) {
(*(char **)value) = pblock->pb_intplugin->pb_plugin_config_area;
+ } else {
+ (*(char **)value) = 0;
}
break;
case SLAPI_PLUGIN_CONFIG_DN:
@@ -718,16 +734,22 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_PLUGIN_INTOP_RESULT:
if (pblock->pb_intop != NULL) {
(*(int *)value) = pblock->pb_intop->pb_internal_op_result;
+ } else {
+ (*(int *)value) = 0;
}
break;
case SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES:
if (pblock->pb_intop != NULL) {
(*(Slapi_Entry ***)value) = pblock->pb_intop->pb_plugin_internal_search_op_entries;
+ } else {
+ (*(Slapi_Entry ***)value) = NULL;
}
break;
case SLAPI_PLUGIN_INTOP_SEARCH_REFERRALS:
if (pblock->pb_intop != NULL) {
(*(char ***)value) = pblock->pb_intop->pb_plugin_internal_search_op_referrals;
+ } else {
+ (*(char ***)value) = NULL;
}
break;
@@ -1167,11 +1189,15 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_ENTRY_PRE_OP:
if (pblock->pb_intop != NULL) {
(*(Slapi_Entry **)value) = pblock->pb_intop->pb_pre_op_entry;
+ } else {
+ (*(Slapi_Entry **)value) = NULL;
}
break;
case SLAPI_ENTRY_POST_OP:
if (pblock->pb_intop != NULL) {
(*(Slapi_Entry **)value) = pblock->pb_intop->pb_post_op_entry;
+ } else {
+ (*(Slapi_Entry **)value) = NULL;
}
break;
@@ -1419,12 +1445,16 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_CONTROLS_ARG: /* used to pass control argument before operation is created */
if (pblock->pb_intop != NULL) {
(*(LDAPControl ***)value) = pblock->pb_intop->pb_ctrls_arg;
+ } else {
+ (*(LDAPControl ***)value) = NULL;
}
break;
/* notes to be added to the access log RESULT line for this op. */
case SLAPI_OPERATION_NOTES:
if (pblock->pb_intop != NULL) {
(*(unsigned int *)value) = pblock->pb_intop->pb_operation_notes;
+ } else {
+ (*(unsigned int *)value) = 0;
}
break;
@@ -1486,6 +1516,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_SYNTAX_SUBSTRLENS: /* aka SLAPI_MR_SUBSTRLENS */
if (pblock->pb_intplugin != NULL) {
(*(int **)value) = pblock->pb_intplugin->pb_substrlens;
+ } else {
+ (*(int **)value) = NULL;
}
break;
case SLAPI_PLUGIN_SYNTAX_VALIDATE:
@@ -1505,11 +1537,15 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_MANAGEDSAIT:
if (pblock->pb_intop != NULL) {
(*(int *)value) = pblock->pb_intop->pb_managedsait;
+ } else {
+ (*(int *)value) = 0;
}
break;
case SLAPI_PWPOLICY:
if (pblock->pb_intop != NULL) {
(*(int *)value) = pblock->pb_intop->pb_pwpolicy_ctrl;
+ } else {
+ (*(int *)value) = 0;
}
break;
@@ -1522,11 +1558,15 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_ADD_EXISTING_DN_ENTRY:
if (pblock->pb_intop != NULL) {
(*(Slapi_Entry **)value) = pblock->pb_intop->pb_existing_dn_entry;
+ } else {
+ (*(Slapi_Entry **)value) = NULL;
}
break;
case SLAPI_ADD_EXISTING_UNIQUEID_ENTRY:
if (pblock->pb_intop != NULL) {
(*(Slapi_Entry **)value) = pblock->pb_intop->pb_existing_uniqueid_entry;
+ } else {
+ (*(Slapi_Entry **)value) = NULL;
}
break;
case SLAPI_ADD_PARENT_ENTRY:
@@ -1537,6 +1577,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_ADD_PARENT_UNIQUEID:
if (pblock->pb_op != NULL) {
(*(char **)value) = pblock->pb_op->o_params.p.p_add.parentuniqueid;
+ } else {
+ (*(char **)value) = NULL;
}
break;
@@ -1624,16 +1666,22 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_MODRDN_PARENT_ENTRY:
if (pblock->pb_intop != NULL) {
(*(Slapi_Entry **)value) = pblock->pb_intop->pb_parent_entry;
+ } else {
+ (*(Slapi_Entry **)value) = NULL;
}
break;
case SLAPI_MODRDN_NEWPARENT_ENTRY:
if (pblock->pb_intop != NULL) {
(*(Slapi_Entry **)value) = pblock->pb_intop->pb_newparent_entry;
+ } else {
+ (*(Slapi_Entry **)value) = NULL;
}
break;
case SLAPI_MODRDN_TARGET_ENTRY:
if (pblock->pb_intop != NULL) {
(*(Slapi_Entry **)value) = pblock->pb_intop->pb_target_entry;
+ } else {
+ (*(Slapi_Entry **)value) = NULL;
}
break;
case SLAPI_MODRDN_NEWSUPERIOR_ADDRESS:
@@ -1740,26 +1788,36 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_PLUGIN_MR_FILTER_MATCH_FN:
if (pblock->pb_mr != NULL) {
(*(mrFilterMatchFn *)value) = pblock->pb_mr->filter_match_fn;
+ } else {
+ (*(mrFilterMatchFn *)value) = NULL;
}
break;
case SLAPI_PLUGIN_MR_FILTER_INDEX_FN:
if (pblock->pb_mr != NULL) {
(*(IFP *)value) = pblock->pb_mr->filter_index_fn;
+ } else {
+ (*(IFP *)value) = NULL;
}
break;
case SLAPI_PLUGIN_MR_FILTER_RESET_FN:
if (pblock->pb_mr != NULL) {
(*(IFP *)value) = pblock->pb_mr->filter_reset_fn;
+ } else {
+ (*(IFP *)value) = NULL;
}
break;
case SLAPI_PLUGIN_MR_INDEX_FN:
if (pblock->pb_mr != NULL) {
(*(IFP *)value) = pblock->pb_mr->index_fn;
+ } else {
+ (*(IFP *)value) = NULL;
}
break;
case SLAPI_PLUGIN_MR_INDEX_SV_FN:
if (pblock->pb_mr != NULL) {
(*(IFP *)value) = pblock->pb_mr->index_sv_fn;
+ } else {
+ (*(IFP *)value) = NULL;
}
break;
@@ -1767,41 +1825,57 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_PLUGIN_MR_OID:
if (pblock->pb_mr != NULL) {
(*(char **)value) = pblock->pb_mr->oid;
+ } else {
+ (*(char **)value) = NULL;
}
break;
case SLAPI_PLUGIN_MR_TYPE:
if (pblock->pb_mr != NULL) {
(*(char **)value) = pblock->pb_mr->type;
+ } else {
+ (*(char **)value) = NULL;
}
break;
case SLAPI_PLUGIN_MR_VALUE:
if (pblock->pb_mr != NULL) {
(*(struct berval **)value) = pblock->pb_mr->value;
+ } else {
+ (*(struct berval **)value) = NULL;
}
break;
case SLAPI_PLUGIN_MR_VALUES:
if (pblock->pb_mr != NULL) {
(*(struct berval ***)value) = pblock->pb_mr->values;
+ } else {
+ (*(struct berval ***)value) = NULL;
}
break;
case SLAPI_PLUGIN_MR_KEYS:
if (pblock->pb_mr != NULL) {
(*(struct berval ***)value) = pblock->pb_mr->keys;
+ } else {
+ (*(struct berval ***)value) = NULL;
}
break;
case SLAPI_PLUGIN_MR_FILTER_REUSABLE:
if (pblock->pb_mr != NULL) {
(*(unsigned int *)value) = pblock->pb_mr->filter_reusable;
+ } else {
+ (*(unsigned int *)value) = 0;
}
break;
case SLAPI_PLUGIN_MR_QUERY_OPERATOR:
if (pblock->pb_mr != NULL) {
(*(int *)value) = pblock->pb_mr->query_operator;
+ } else {
+ (*(int *)value) = 0;
}
break;
case SLAPI_PLUGIN_MR_USAGE:
if (pblock->pb_mr != NULL) {
(*(unsigned int *)value) = pblock->pb_mr->usage;
+ } else {
+ (*(unsigned int *)value) = 0;
}
break;
@@ -1865,16 +1939,22 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_SEQ_TYPE:
if (pblock->pb_task != NULL) {
(*(int *)value) = pblock->pb_task->seq_type;
+ } else {
+ (*(int *)value) = 0;
}
break;
case SLAPI_SEQ_ATTRNAME:
if (pblock->pb_task != NULL) {
(*(char **)value) = pblock->pb_task->seq_attrname;
+ } else {
+ (*(char **)value) = NULL;
}
break;
case SLAPI_SEQ_VAL:
if (pblock->pb_task != NULL) {
(*(char **)value) = pblock->pb_task->seq_val;
+ } else {
+ (*(char **)value) = NULL;
}
break;
@@ -1882,47 +1962,65 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_LDIF2DB_FILE:
if (pblock->pb_task != NULL) {
(*(char ***)value) = pblock->pb_task->ldif_files;
+ } else {
+ (*(char ***)value) = NULL;
}
break;
case SLAPI_LDIF2DB_REMOVEDUPVALS:
if (pblock->pb_task != NULL) {
(*(int *)value) = pblock->pb_task->removedupvals;
+ } else {
+ (*(int *)value) = 0;
}
break;
case SLAPI_DB2INDEX_ATTRS:
if (pblock->pb_task != NULL) {
(*(char ***)value) = pblock->pb_task->db2index_attrs;
+ } else {
+ (*(char ***)value) = NULL;
}
break;
case SLAPI_LDIF2DB_NOATTRINDEXES:
if (pblock->pb_task != NULL) {
(*(int *)value) = pblock->pb_task->ldif2db_noattrindexes;
+ } else {
+ (*(int *)value) = 0;
}
break;
case SLAPI_LDIF2DB_INCLUDE:
if (pblock->pb_task != NULL) {
(*(char ***)value) = pblock->pb_task->ldif_include;
+ } else {
+ (*(char ***)value) = NULL;
}
break;
case SLAPI_LDIF2DB_EXCLUDE:
if (pblock->pb_task != NULL) {
(*(char ***)value) = pblock->pb_task->ldif_exclude;
+ } else {
+ (*(char ***)value) = NULL;
}
break;
case SLAPI_LDIF2DB_GENERATE_UNIQUEID:
if (pblock->pb_task != NULL) {
(*(int *)value) = pblock->pb_task->ldif_generate_uniqueid;
+ } else {
+ (*(int *)value) = 0;
}
break;
case SLAPI_LDIF2DB_ENCRYPT:
case SLAPI_DB2LDIF_DECRYPT:
if (pblock->pb_task != NULL) {
(*(int *)value) = pblock->pb_task->ldif_encrypt;
+ } else {
+ (*(int *)value) = 0;
}
break;
case SLAPI_LDIF2DB_NAMESPACEID:
if (pblock->pb_task != NULL) {
(*(char **)value) = pblock->pb_task->ldif_namespaceid;
+ } else {
+ (*(char **)value) = NULL;
}
break;
@@ -1930,16 +2028,22 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_DB2LDIF_PRINTKEY:
if (pblock->pb_task != NULL) {
(*(int *)value) = pblock->pb_task->ldif_printkey;
+ } else {
+ (*(int *)value) = 0;
}
break;
case SLAPI_DB2LDIF_DUMP_UNIQUEID:
if (pblock->pb_task != NULL) {
(*(int *)value) = pblock->pb_task->ldif_dump_uniqueid;
+ } else {
+ (*(int *)value) = 0;
}
break;
case SLAPI_DB2LDIF_FILE:
if (pblock->pb_task != NULL) {
(*(char **)value) = pblock->pb_task->ldif_file;
+ } else {
+ (*(char **)value) = NULL;
}
break;
@@ -1947,37 +2051,51 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_BACKEND_INSTANCE_NAME:
if (pblock->pb_task != NULL) {
(*(char **)value) = pblock->pb_task->instance_name;
+ } else {
+ (*(char **)value) = NULL;
}
break;
case SLAPI_BACKEND_TASK:
if (pblock->pb_task != NULL) {
(*(Slapi_Task **)value) = pblock->pb_task->task;
+ } else {
+ (*(Slapi_Task **)value) = NULL;
}
break;
case SLAPI_TASK_FLAGS:
if (pblock->pb_task != NULL) {
(*(int *)value) = pblock->pb_task->task_flags;
+ } else {
+ (*(int *)value) = 0;
}
break;
case SLAPI_DB2LDIF_SERVER_RUNNING:
if (pblock->pb_task != NULL) {
(*(int *)value) = pblock->pb_task->server_running;
+ } else {
+ (*(int *)value) = 0;
}
break;
case SLAPI_BULK_IMPORT_ENTRY:
if (pblock->pb_task != NULL) {
(*(Slapi_Entry **)value) = pblock->pb_task->import_entry;
+ } else {
+ (*(Slapi_Entry **)value) = NULL;
}
break;
case SLAPI_BULK_IMPORT_STATE:
if (pblock->pb_task != NULL) {
(*(int *)value) = pblock->pb_task->import_state;
+ } else {
+ (*(int *)value) = 0;
}
break;
/* dbverify */
case SLAPI_DBVERIFY_DBDIR:
if (pblock->pb_task != NULL) {
(*(char **)value) = pblock->pb_task->dbverify_dbdir;
+ } else {
+ (*(char **)value) = NULL;
}
break;
@@ -1993,11 +2111,15 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_TXN:
if (pblock->pb_intop != NULL) {
(*(void **)value) = pblock->pb_intop->pb_txn;
+ } else {
+ (*(void **)value) = NULL;
}
break;
case SLAPI_TXN_RUV_MODS_FN:
if (pblock->pb_intop != NULL) {
(*(IFP *)value) = pblock->pb_intop->pb_txn_ruv_mods_fn;
+ } else {
+ (*(IFP *)value) = NULL;
}
break;
@@ -2052,6 +2174,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_PB_RESULT_TEXT:
if (pblock->pb_intop != NULL) {
*((char **)value) = pblock->pb_intop->pb_result_text;
+ } else {
+ *((char **)value) = NULL;
}
break;
@@ -2059,6 +2183,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_DBSIZE:
if (pblock->pb_misc != NULL) {
(*(unsigned int *)value) = pblock->pb_misc->pb_dbsize;
+ } else {
+ (*(unsigned int *)value) = 0;
}
break;
@@ -2153,11 +2279,15 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_ARGC:
if (pblock->pb_misc != NULL) {
(*(int *)value) = pblock->pb_misc->pb_slapd_argc;
+ } else {
+ (*(int *)value) = 0;
}
break;
case SLAPI_ARGV:
if (pblock->pb_misc != NULL) {
(*(char ***)value) = pblock->pb_misc->pb_slapd_argv;
+ } else {
+ (*(char ***)value) = NULL;
}
break;
@@ -2165,6 +2295,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_CONFIG_DIRECTORY:
if (pblock->pb_intplugin != NULL) {
(*(char **)value) = pblock->pb_intplugin->pb_slapd_configdir;
+ } else {
+ (*(char **)value) = NULL;
}
break;
@@ -2175,12 +2307,16 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_PLUGIN_PWD_STORAGE_SCHEME_USER_PWD:
if (pblock->pb_deprecated != NULL) {
(*(char **)value) = pblock->pb_deprecated->pb_pwd_storage_scheme_user_passwd;
+ } else {
+ (*(char **)value) = NULL;
}
break;
case SLAPI_PLUGIN_PWD_STORAGE_SCHEME_DB_PWD:
if (pblock->pb_deprecated != NULL) {
(*(char **)value) = pblock->pb_deprecated->pb_pwd_storage_scheme_db_passwd;
+ } else {
+ (*(char **)value) = NULL;
}
break;
@@ -2208,6 +2344,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_PLUGIN_ENABLED:
if (pblock->pb_intplugin != NULL) {
*((int *)value) = pblock->pb_intplugin->pb_plugin_enabled;
+ } else {
+ *((int *)value) = 0;
}
break;
@@ -2215,6 +2353,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_DSE_DONT_WRITE_WHEN_ADDING:
if (pblock->pb_dse != NULL) {
(*(int *)value) = pblock->pb_dse->dont_add_write;
+ } else {
+ (*(int *)value) = 0;
}
break;
@@ -2222,6 +2362,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_DSE_MERGE_WHEN_ADDING:
if (pblock->pb_dse != NULL) {
(*(int *)value) = pblock->pb_dse->add_merge;
+ } else {
+ (*(int *)value) = 0;
}
break;
@@ -2229,6 +2371,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_DSE_DONT_CHECK_DUPS:
if (pblock->pb_dse != NULL) {
(*(int *)value) = pblock->pb_dse->dont_check_dups;
+ } else {
+ (*(int *)value) = 0;
}
break;
@@ -2236,6 +2380,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_DSE_REAPPLY_MODS:
if (pblock->pb_dse != NULL) {
(*(int *)value) = pblock->pb_dse->reapply_mods;
+ } else {
+ (*(int *)value) = 0;
}
break;
@@ -2243,6 +2389,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_DSE_IS_PRIMARY_FILE:
if (pblock->pb_dse != NULL) {
(*(int *)value) = pblock->pb_dse->is_primary_file;
+ } else {
+ (*(int *)value) = 0;
}
break;
@@ -2250,42 +2398,56 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_SCHEMA_FLAGS:
if (pblock->pb_dse != NULL) {
(*(int *)value) = pblock->pb_dse->schema_flags;
+ } else {
+ (*(int *)value) = 0;
}
break;
case SLAPI_URP_NAMING_COLLISION_DN:
if (pblock->pb_intop != NULL) {
(*(char **)value) = pblock->pb_intop->pb_urp_naming_collision_dn;
+ } else {
+ (*(char **)value) = NULL;
}
break;
case SLAPI_URP_TOMBSTONE_UNIQUEID:
if (pblock->pb_intop != NULL) {
(*(char **)value) = pblock->pb_intop->pb_urp_tombstone_uniqueid;
+ } else {
+ (*(char **)value) = NULL;
}
break;
case SLAPI_URP_TOMBSTONE_CONFLICT_DN:
if (pblock->pb_intop != NULL) {
- (*(char **)value) = pblock->pb_intop->pb_urp_tombstone_conflict_dn;
+ (*(char **)value) = pblock->pb_intop->pb_urp_tombstone_conflict_dn;
+ } else {
+ (*(char **)value) = NULL;
}
break;
case SLAPI_SEARCH_CTRLS:
if (pblock->pb_intop != NULL) {
(*(LDAPControl ***)value) = pblock->pb_intop->pb_search_ctrls;
+ } else {
+ (*(LDAPControl ***)value) = NULL;
}
break;
case SLAPI_PLUGIN_SYNTAX_FILTER_NORMALIZED:
if (pblock->pb_intplugin != NULL) {
(*(int *)value) = pblock->pb_intplugin->pb_syntax_filter_normalized;
+ } else {
+ (*(int *)value) = 0;
}
break;
case SLAPI_PLUGIN_SYNTAX_FILTER_DATA:
if (pblock->pb_intplugin != NULL) {
(*(void **)value) = pblock->pb_intplugin->pb_syntax_filter_data;
+ } else {
+ (*(void **)value) = NULL;
}
break;
@@ -2311,6 +2473,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
case SLAPI_ACI_TARGET_CHECK:
if (pblock->pb_misc != NULL) {
(*(int *)value) = pblock->pb_misc->pb_aci_target_check;
+ } else {
+ (*(int *)value) = 0;
}
break;
--
2.13.6

40
SOURCES/0010-Fix-double-free-in-_cl5NewDBFile-error-path.patch
View file

@ -1,40 +0,0 @@
From 8c39c9dbe69949065940019e930c37b8f5450a75 Mon Sep 17 00:00:00 2001
From: Adam Tkac <vonsch@gmail.com>
Date: Sat, 18 Mar 2017 23:34:54 +0100
Subject: [PATCH] Fix double-free in _cl5NewDBFile() error path
Although slapi_ch_free should prevent double-free errors, it doesn't work
in old code because after assignment
(*dbFile)->name = name;
two independent pointers points to the same allocated area and both pointers
are free()-ed (one directly in error path in _cl5NewDBFile and the second
in _cl5DBCloseFile, called in error path as well).
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
---
ldap/servers/plugins/replication/cl5_api.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/ldap/servers/plugins/replication/cl5_api.c b/ldap/servers/plugins/replication/cl5_api.c
index fc70ab7..5c2233f 100644
--- a/ldap/servers/plugins/replication/cl5_api.c
+++ b/ldap/servers/plugins/replication/cl5_api.c
@@ -6269,9 +6269,10 @@ out:
}
(*dbFile)->db = db;
- (*dbFile)->name = name;
- (*dbFile)->replName = slapi_ch_strdup (replName);
- (*dbFile)->replGen = slapi_ch_strdup (replGen);
+ (*dbFile)->name = name;
+ name = NULL; /* transfer ownership to dbFile struct */
+ (*dbFile)->replName = slapi_ch_strdup (replName);
+ (*dbFile)->replGen = slapi_ch_strdup (replGen);
/*
* Considerations for setting up cl semaphore:
--
2.9.3

9
SOURCES/0078-Ticket-49402-Adding-a-database-entry-with-the-same-d.patch → SOURCES/0010-Ticket-49402-Adding-a-database-entry-with-the-same-d.patch
View file

@ -1,4 +1,4 @@
From bc190eeaaffbb514f69664b4d033dc593a78683b Mon Sep 17 00:00:00 2001
From 697e01b0ca2d028f0d2cabc47ab2335de93b0491 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 16 Oct 2017 12:52:46 -0400
Subject: [PATCH] Ticket 49402 - Adding a database entry with the same database
@ -18,20 +18,19 @@ https://pagure.io/389-ds-base/issue/49402
Reviewed by: lkrispen(Thanks!)
(cherry picked from commit bc6dbf15c160ac7e6c553133b2b936a981cfb7b6)
(cherry picked from commit 2ef4e813b8f6b92908ff553a704808cbbd425b5d)
---
ldap/servers/slapd/back-ldbm/import.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ldap/servers/slapd/back-ldbm/import.c b/ldap/servers/slapd/back-ldbm/import.c
index 7161bace1..f60df194b 100644
index e8f4a5615..42e2696d3 100644
--- a/ldap/servers/slapd/back-ldbm/import.c
+++ b/ldap/servers/slapd/back-ldbm/import.c
@@ -234,7 +234,7 @@ static void import_task_destroy(Slapi_Task *task)
@@ -244,7 +244,7 @@ import_task_destroy(Slapi_Task *task)
return;
}
- while(is_instance_busy(job->inst)){
- while (is_instance_busy(job->inst)) {
+ while (task->task_state == SLAPI_TASK_RUNNING) {
/* wait for the job to finish before freeing it */
DS_Sleep(PR_SecondsToInterval(1));

34
SOURCES/0011-Issue-49188-retrocl-can-crash-server-at-shutdown.patch
View file

@ -1,34 +0,0 @@
From 8f908a1de1906a0b7451505d9640e2fd2f9fa7eb Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Wed, 22 Mar 2017 10:18:13 -0400
Subject: [PATCH] Issue 49188 - retrocl can crash server at shutdown
Description: We do not calloc enough elements when processing nsslapd-attribute
from the retrocl plugin configuration. This causes invalid memory
to be freed at shutdown(via slapi_ch_array_free).
https://pagure.io/389-ds-base/issue/49188
Reviewed by: mreynolds(one line commit rule)
---
ldap/servers/plugins/retrocl/retrocl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ldap/servers/plugins/retrocl/retrocl.c b/ldap/servers/plugins/retrocl/retrocl.c
index 32b30c7..6e68667 100644
--- a/ldap/servers/plugins/retrocl/retrocl.c
+++ b/ldap/servers/plugins/retrocl/retrocl.c
@@ -470,8 +470,8 @@ static int retrocl_start (Slapi_PBlock *pb)
retrocl_nattributes = n;
- retrocl_attributes = (char **)slapi_ch_calloc(n, sizeof(char *));
- retrocl_aliases = (char **)slapi_ch_calloc(n, sizeof(char *));
+ retrocl_attributes = (char **)slapi_ch_calloc(n + 1, sizeof(char *));
+ retrocl_aliases = (char **)slapi_ch_calloc(n + 1, sizeof(char *));
slapi_log_err(SLAPI_LOG_PLUGIN, RETROCL_PLUGIN_NAME, "retrocl_start - Attributes:\n");
--
2.9.3

332
SOURCES/0011-Ticket-49064-RFE-allow-to-enable-MemberOf-plugin-in-.patch Normal file
View file

@ -0,0 +1,332 @@
From 4af03a6a2a59684950d887d42c6e9d8b027d71f5 Mon Sep 17 00:00:00 2001
From: Thierry Bordaz <tbordaz@redhat.com>
Date: Mon, 16 Oct 2017 11:21:51 +0200
Subject: [PATCH] Ticket 49064 - RFE allow to enable MemberOf plugin in
dedicated consumer
Bug Description:
memberof triggers some internal updates to add/del 'memberof' values.
on a readonly consumer, those updates selects a REFERRAL_ON_UPDATE backend
and that is not followed by internal updates.
At the end of the day, the update is rejected and if memberof plugin is enabled
replication will stuck on that rejected update
Fix Description:
internal updates from memberof need to bypassing referrals.
So they flag internal updates SLAPI_OP_FLAG_BYPASS_REFERRALS, so that mtn_get_be
(mapping tree selection) will not return the referrals.
https://pagure.io/389-ds-base/issue/49064
Reviewed by: Ludwig Krispenz, William Brown (thanks a LOT !)
Platforms tested: F23 (all tickets + basic suite)
Flag Day: no
Doc impact: no
---
dirsrvtests/tests/tickets/ticket49064_test.py | 259 ++++++++++++++++++++++++++
ldap/servers/plugins/memberof/memberof.c | 6 +-
2 files changed, 262 insertions(+), 3 deletions(-)
create mode 100644 dirsrvtests/tests/tickets/ticket49064_test.py
diff --git a/dirsrvtests/tests/tickets/ticket49064_test.py b/dirsrvtests/tests/tickets/ticket49064_test.py
new file mode 100644
index 000000000..b4b6de4b9
--- /dev/null
+++ b/dirsrvtests/tests/tickets/ticket49064_test.py
@@ -0,0 +1,259 @@
+import logging
+import pytest
+import os
+import time
+import ldap
+import subprocess
+from lib389.utils import ds_is_older
+from lib389.topologies import topology_m1h1c1 as topo
+from lib389._constants import *
+from lib389 import Entry
+
+# Skip on older versions
+pytestmark = pytest.mark.skipif(ds_is_older('1.3.7'), reason="Not implemented")
+
+USER_CN='user_'
+GROUP_CN='group_'
+FIXUP_FILTER = '(objectClass=*)'
+FIXUP_CMD = 'fixup-memberof.pl'
+
+DEBUGGING = os.getenv("DEBUGGING", default=False)
+if DEBUGGING:
+ logging.getLogger(__name__).setLevel(logging.DEBUG)
+else:
+ logging.getLogger(__name__).setLevel(logging.INFO)
+log = logging.getLogger(__name__)
+
+def memberof_fixup_task(server):
+ sbin_dir = server.get_sbin_dir()
+ memof_task = os.path.join(sbin_dir, FIXUP_CMD)
+ try:
+ output = subprocess.check_output(
+ [memof_task, '-D', DN_DM, '-w', PASSWORD, '-b', SUFFIX, '-Z', SERVERID_CONSUMER_1, '-f', FIXUP_FILTER])
+ except subprocess.CalledProcessError as err:
+ output = err.output
+ log.info('output: {}'.format(output))
+ expected = "Successfully added task entry"
+ assert expected in output
+
+def config_memberof(server):
+
+ server.plugins.enable(name=PLUGIN_MEMBER_OF)
+ MEMBEROF_PLUGIN_DN = ('cn=' + PLUGIN_MEMBER_OF + ',cn=plugins,cn=config')
+ server.modify_s(MEMBEROF_PLUGIN_DN, [(ldap.MOD_REPLACE,
+ 'memberOfAllBackends',
+ 'on'),
+ (ldap.MOD_REPLACE, 'memberOfAutoAddOC', 'nsMemberOf')])
+ # Configure fractional to prevent total init to send memberof
+ ents = server.agreement.list(suffix=DEFAULT_SUFFIX)
+ for ent in ents:
+ log.info('update %s to add nsDS5ReplicatedAttributeListTotal' % ent.dn)
+ server.modify_s(ent.dn,
+ [(ldap.MOD_REPLACE,
+ 'nsDS5ReplicatedAttributeListTotal',
+ '(objectclass=*) $ EXCLUDE '),
+ (ldap.MOD_REPLACE,
+ 'nsDS5ReplicatedAttributeList',
+ '(objectclass=*) $ EXCLUDE memberOf')])
+
+
+def send_updates_now(server):
+
+ ents = server.agreement.list(suffix=DEFAULT_SUFFIX)
+ for ent in ents:
+ server.agreement.pause(ent.dn)
+ server.agreement.resume(ent.dn)
+
+def add_user(server, no, desc='dummy', sleep=True):
+ cn = '%s%d' % (USER_CN, no)
+ dn = 'cn=%s,ou=people,%s' % (cn, SUFFIX)
+ log.fatal('Adding user (%s): ' % dn)
+ server.add_s(Entry((dn, {'objectclass': ['top', 'person', 'inetuser'],
+ 'sn': ['_%s' % cn],
+ 'description': [desc]})))
+ if sleep:
+ time.sleep(2)
+
+def add_group(server, nr, sleep=True):
+ cn = '%s%d' % (GROUP_CN, nr)
+ dn = 'cn=%s,ou=groups,%s' % (cn, SUFFIX)
+ server.add_s(Entry((dn, {'objectclass': ['top', 'groupofnames'],
+ 'description': 'group %d' % nr})))
+ if sleep:
+ time.sleep(2)
+
+def update_member(server, member_dn, group_dn, op, sleep=True):
+ mod = [(op, 'member', member_dn)]
+ server.modify_s(group_dn, mod)
+ if sleep:
+ time.sleep(2)
+
+def _find_memberof(server, member_dn, group_dn, find_result=True):
+ ent = server.getEntry(member_dn, ldap.SCOPE_BASE, "(objectclass=*)", ['memberof'])
+ found = False
+ if ent.hasAttr('memberof'):
+
+ for val in ent.getValues('memberof'):
+ server.log.info("!!!!!!! %s: memberof->%s" % (member_dn, val))
+ server.log.info("!!!!!!! %s" % (val))
+ server.log.info("!!!!!!! %s" % (group_dn))
+ if val.lower() == group_dn.lower():
+ found = True
+ break
+
+ if find_result:
+ assert (found)
+ else:
+ assert (not found)
+
+
+def test_ticket49064(topo):
+ """Specify a test case purpose or name here
+
+ :id: 60c11636-55a1-4704-9e09-2c6bcc828de4
+ :setup: 1 Master - 1 Hub - 1 Consumer
+ :steps:
+ 1. Configure replication to EXCLUDE memberof
+ 2. Enable memberof plugin
+ 3. Create users/groups
+ 4. make user_1 member of group_1
+ 5. Checks that user_1 is memberof group_1 on M,H,C
+ 6. make group_1 member of group_2 (nest group)
+ 7. Checks that user_1 is memberof group_1 and group_2 on M,H,C
+ 8. Check group_1 is memberof group_2 on M,H,C
+ 9. remove group_1 from group_2
+ 10. Check group_1 and user_1 are NOT memberof group_2 on M,H,C
+ 11. remove user_1 from group_1
+ 12. Check user_1 is NOT memberof group_1 and group_2 on M,H,C
+ 13. Disable memberof on C1
+ 14. make user_1 member of group_1
+ 15. Checks that user is memberof group_1 on M,H but not on C
+ 16. Enable memberof on C1
+ 17. Checks that user is memberof group_1 on M,H but not on C
+ 18. Run memberof fixup task
+ 19. Checks that user is memberof group_1 on M,H,C
+
+
+ :expectedresults:
+ no assert for membership check
+ """
+
+
+ M1 = topo.ms["master1"]
+ H1 = topo.hs["hub1"]
+ C1 = topo.cs["consumer1"]
+
+ # Step 1 & 2
+ M1.config.enable_log('audit')
+ config_memberof(M1)
+ M1.restart()
+
+ H1.config.enable_log('audit')
+ config_memberof(H1)
+ H1.restart()
+
+ C1.config.enable_log('audit')
+ config_memberof(C1)
+ C1.restart()
+
+ # Step 3
+ for i in range(10):
+ add_user(M1, i, desc='add on m1')
+ for i in range(3):
+ add_group(M1, i)
+
+ # Step 4
+ member_dn = 'cn=%s%d,ou=people,%s' % (USER_CN, 1, SUFFIX)
+ group_dn = 'cn=%s%d,ou=groups,%s' % (GROUP_CN, 1, SUFFIX)
+ update_member(M1, member_dn, group_dn, ldap.MOD_ADD, sleep=True)
+
+ # Step 5
+ for i in [M1, H1, C1]:
+ _find_memberof(i, member_dn, group_dn, find_result=True)
+
+
+ # Step 6
+ user_dn = 'cn=%s%d,ou=people,%s' % (USER_CN, 1, SUFFIX)
+ grp1_dn = 'cn=%s%d,ou=groups,%s' % (GROUP_CN, 1, SUFFIX)
+ grp2_dn = 'cn=%s%d,ou=groups,%s' % (GROUP_CN, 2, SUFFIX)
+ update_member(M1, grp1_dn, grp2_dn, ldap.MOD_ADD, sleep=True)
+
+ # Step 7
+ for i in [grp1_dn, grp2_dn]:
+ for inst in [M1, H1, C1]:
+ _find_memberof(inst, user_dn, i, find_result=True)
+
+ # Step 8
+ for i in [M1, H1, C1]:
+ _find_memberof(i, grp1_dn, grp2_dn, find_result=True)
+
+ # Step 9
+ user_dn = 'cn=%s%d,ou=people,%s' % (USER_CN, 1, SUFFIX)
+ grp1_dn = 'cn=%s%d,ou=groups,%s' % (GROUP_CN, 1, SUFFIX)
+ grp2_dn = 'cn=%s%d,ou=groups,%s' % (GROUP_CN, 2, SUFFIX)
+ update_member(M1, grp1_dn, grp2_dn, ldap.MOD_DELETE, sleep=True)
+
+ # Step 10
+ for inst in [M1, H1, C1]:
+ for i in [grp1_dn, user_dn]:
+ _find_memberof(inst, i, grp2_dn, find_result=False)
+
+ # Step 11
+ member_dn = 'cn=%s%d,ou=people,%s' % (USER_CN, 1, SUFFIX)
+ group_dn = 'cn=%s%d,ou=groups,%s' % (GROUP_CN, 1, SUFFIX)
+ update_member(M1, member_dn, group_dn, ldap.MOD_DELETE, sleep=True)
+
+ # Step 12
+ for inst in [M1, H1, C1]:
+ for grp in [grp1_dn, grp2_dn]:
+ _find_memberof(inst, member_dn, grp, find_result=False)
+
+ # Step 13
+ C1.plugins.disable(name=PLUGIN_MEMBER_OF)
+ C1.restart()
+
+ # Step 14
+ member_dn = 'cn=%s%d,ou=people,%s' % (USER_CN, 1, SUFFIX)
+ group_dn = 'cn=%s%d,ou=groups,%s' % (GROUP_CN, 1, SUFFIX)
+ update_member(M1, member_dn, group_dn, ldap.MOD_ADD, sleep=True)
+
+ # Step 15
+ for i in [M1, H1]:
+ _find_memberof(i, member_dn, group_dn, find_result=True)
+ _find_memberof(C1, member_dn, group_dn, find_result=False)
+
+ # Step 16
+ C1.plugins.enable(name=PLUGIN_MEMBER_OF)
+ C1.restart()
+
+ # Step 17
+ for i in [M1, H1]:
+ _find_memberof(i, member_dn, group_dn, find_result=True)
+ _find_memberof(C1, member_dn, group_dn, find_result=False)
+
+ # Step 18
+ memberof_fixup_task(C1)
+ time.sleep(5)
+
+ # Step 19
+ for i in [M1, H1, C1]:
+ _find_memberof(i, member_dn, group_dn, find_result=True)
+
+ # If you need any test suite initialization,
+ # please, write additional fixture for that (including finalizer).
+ # Topology for suites are predefined in lib389/topologies.py.
+
+ # If you need host, port or any other data about instance,
+ # Please, use the instance object attributes for that (for example, topo.ms["master1"].serverid)
+
+ if DEBUGGING:
+ # Add debugging steps(if any)...
+ pass
+
+
+if __name__ == '__main__':
+ # Run isolated
+ # -s for DEBUG mode
+ CURRENT_FILE = os.path.realpath(__file__)
+ pytest.main("-s %s" % CURRENT_FILE)
+
diff --git a/ldap/servers/plugins/memberof/memberof.c b/ldap/servers/plugins/memberof/memberof.c
index bae242c81..44b52edbb 100644
--- a/ldap/servers/plugins/memberof/memberof.c
+++ b/ldap/servers/plugins/memberof/memberof.c
@@ -609,7 +609,7 @@ memberof_del_dn_type_callback(Slapi_Entry *e, void *callback_data)
slapi_modify_internal_set_pb_ext(
mod_pb, slapi_entry_get_sdn(e),
mods, 0, 0,
- memberof_get_plugin_id(), 0);
+ memberof_get_plugin_id(), SLAPI_OP_FLAG_BYPASS_REFERRALS);
slapi_modify_internal_pb(mod_pb);
@@ -3224,7 +3224,7 @@ memberof_add_memberof_attr(LDAPMod **mods, const char *dn, char *add_oc)
mod_pb = slapi_pblock_new();
slapi_modify_internal_set_pb(
mod_pb, dn, mods, 0, 0,
- memberof_get_plugin_id(), 0);
+ memberof_get_plugin_id(), SLAPI_OP_FLAG_BYPASS_REFERRALS);
slapi_modify_internal_pb(mod_pb);
slapi_pblock_get(mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
@@ -3279,7 +3279,7 @@ memberof_add_objectclass(char *auto_add_oc, const char *dn)
slapi_modify_internal_set_pb(
mod_pb, dn, mods, 0, 0,
- memberof_get_plugin_id(), 0);
+ memberof_get_plugin_id(), SLAPI_OP_FLAG_BYPASS_REFERRALS);
slapi_modify_internal_pb(mod_pb);
slapi_pblock_get(mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
--
2.13.6

131
SOURCES/0012-Ticket-49177-rpm-would-not-create-valid-pkgconfig-fi.patch
View file

@ -1,131 +0,0 @@
From fffbb3d39a2ea12a2b3a72c729e76c1e69a19d8f Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 27 Mar 2017 14:33:17 -0400
Subject: [PATCH] Ticket 49177 - rpm would not create valid pkgconfig files
Bug Description: pkgconfig from the rpm was not valid.
Fix Description: Resolve an issue in the way we handle the file
substiution to resolve this issue.
https://pagure.io/389-ds-base/issue/49177
---
Makefile.am | 10 ++--------
configure.ac | 3 +++
m4/mozldap.m4 | 4 ++++
m4/openldap.m4 | 4 ++++
src/pkgconfig/dirsrv.pc.in | 4 ++++
5 files changed, 17 insertions(+), 8 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 4a4b2d3..982dd28 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -110,14 +110,12 @@ if OPENLDAP
# shared lib _fini for one will stomp on the other, and the program will crash
LDAPSDK_LINK_NOTHR = @openldap_lib@ -lldap@ol_libver@ @ldap_lib_ldif@ -llber@ol_libver@
LDAPSDK_LINK = @openldap_lib@ -lldap_r@ol_libver@ @ldap_lib_ldif@ -llber@ol_libver@
-ldaplib = openldap
-ldaplib_defs = -DUSE_OPENLDAP
else
LDAPSDK_LINK = @ldapsdk_lib@ -lssldap60 -lprldap60 -lldap60 -lldif60
LDAPSDK_LINK_NOTHR = $(LDAPSDK_LINK)
-ldaplib = mozldap
-ldaplib_defs =
endif
+ldaplib = @ldaplib@
+ldaplib_defs = @ldaplib_defs@
DB_LINK = @db_lib@ -ldb-@db_libver@
SASL_LINK = @sasl_lib@ -lsasl2
@@ -2237,10 +2235,6 @@ else
$(fixupcmd) $^ | sed -n -e 's/@preamble@//' -e '/^#/{p;d;}' -e '/^$$/{p;d;}' -e 's/^\([^=]*\)\(=.*\)$$/\1\2 ; export \1/ ; p' > $@
endif
-%/$(PACKAGE_NAME).pc: %/dirsrv.pc.in
- if [ ! -d $(dir $@) ] ; then mkdir -p $(dir $@) ; fi
- $(fixupcmd) $^ > $@
-
%/$(PACKAGE_NAME)-snmp: %/ldap-agent-initscript.in
if [ ! -d $(dir $@) ] ; then mkdir -p $(dir $@) ; fi
$(fixupcmd) $^ > $@
diff --git a/configure.ac b/configure.ac
index 4e3e9fb..3f2aa75 100644
--- a/configure.ac
+++ b/configure.ac
@@ -785,6 +785,8 @@ AC_SUBST(openldap_inc)
AC_SUBST(openldap_lib)
AC_SUBST(openldap_libdir)
AC_SUBST(openldap_bindir)
+AC_SUBST(ldaplib)
+AC_SUBST(ldaplib_defs)
AC_SUBST(ldaptool_bindir)
AC_SUBST(ldaptool_opts)
AC_SUBST(plainldif_opts)
@@ -853,6 +855,7 @@ if test "$GCC" != yes ; then
fi
# Build our pkgconfig files
+# This currently conflicts with %.in: rule in Makefile.am, which should be removed eventually.
AC_CONFIG_FILES([src/pkgconfig/dirsrv.pc src/pkgconfig/nunc-stans.pc src/pkgconfig/libsds.pc])
AC_CONFIG_FILES([Makefile rpm/389-ds-base.spec ])
diff --git a/m4/mozldap.m4 b/m4/mozldap.m4
index 4352151..8084ed8 100644
--- a/m4/mozldap.m4
+++ b/m4/mozldap.m4
@@ -15,6 +15,8 @@ AC_ARG_WITH(ldapsdk, AS_HELP_STRING([--with-ldapsdk@<:@=PATH@:>@],[Mozilla LDAP
if test "$withval" = yes
then
AC_MSG_RESULT(yes)
+ ldaplib="mozldap"
+ ldaplib_defs=""
elif test "$withval" = no
then
AC_MSG_RESULT(no)
@@ -22,6 +24,8 @@ AC_ARG_WITH(ldapsdk, AS_HELP_STRING([--with-ldapsdk@<:@=PATH@:>@],[Mozilla LDAP
then
AC_MSG_RESULT([using $withval])
LDAPSDKDIR=$withval
+ ldaplib="mozldap"
+ ldaplib_defs=""
ldapsdk_inc="-I$LDAPSDKDIR/include"
ldapsdk_lib="-L$LDAPSDKDIR/lib"
ldapsdk_libdir="$LDAPSDKDIR/lib"
diff --git a/m4/openldap.m4 b/m4/openldap.m4
index 417bf43..f45637c 100644
--- a/m4/openldap.m4
+++ b/m4/openldap.m4
@@ -15,6 +15,8 @@ AC_ARG_WITH(openldap, AS_HELP_STRING([--with-openldap@<:@=PATH@:>@],[Use OpenLDA
if test "$withval" = yes
then
AC_MSG_RESULT([using system OpenLDAP])
+ ldaplib="openldap"
+ ldaplib_defs="-DUSE_OPENLDAP"
elif test "$withval" = no
then
AC_MSG_RESULT(no)
@@ -22,6 +24,8 @@ AC_ARG_WITH(openldap, AS_HELP_STRING([--with-openldap@<:@=PATH@:>@],[Use OpenLDA
then
AC_MSG_RESULT([using $withval])
OPENLDAPDIR=$withval
+ ldaplib="openldap"
+ ldaplib_defs="-DUSE_OPENLDAP"
openldap_incdir="$OPENLDAPDIR/include"
openldap_inc="-I$openldap_incdir"
openldap_lib="-L$OPENLDAPDIR/lib"
diff --git a/src/pkgconfig/dirsrv.pc.in b/src/pkgconfig/dirsrv.pc.in
index 4140031..df433cf 100644
--- a/src/pkgconfig/dirsrv.pc.in
+++ b/src/pkgconfig/dirsrv.pc.in
@@ -1,3 +1,7 @@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
ldaplib=@ldaplib@
Name: dirsrv
--
2.9.3

48
SOURCES/0012-Ticket-49378-server-init-fails.patch Normal file
View file

@ -0,0 +1,48 @@
From 82e092e9debce16f048b4fe0f38265bc8d80f63d Mon Sep 17 00:00:00 2001
From: William Brown <firstyear@redhat.com>
Date: Thu, 28 Sep 2017 09:11:00 +1000
Subject: [PATCH] Ticket 49378 server init fails
Bug Description: We used our own target for DS installation, but
we should just use multi-user like anything else.
Fix Description: Change service template to multi-user. This should
be a seamless upgrade to most consumers.
https://pagure.io/389-ds-base/issue/49378
Author: wibrown
Review by: mreynolds (Thanks!)
(cherry picked from commit e9ad5f5aca64f65fa2c9b2dc5132b0dacf131c99)
---
wrappers/systemd.template.asan.service.in | 2 +-
wrappers/systemd.template.service.in | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/wrappers/systemd.template.asan.service.in b/wrappers/systemd.template.asan.service.in
index 1fe321ccb..52681f632 100644
--- a/wrappers/systemd.template.asan.service.in
+++ b/wrappers/systemd.template.asan.service.in
@@ -36,5 +36,5 @@ ExecStart=@sbindir@/ns-slapd -D @instconfigdir@/slapd-%i -i @localstatedir@/run/
.include @initconfigdir@/@package_name@.systemd
[Install]
-WantedBy=dirsrv.target
+WantedBy=multi-user.target
diff --git a/wrappers/systemd.template.service.in b/wrappers/systemd.template.service.in
index 30b9e4b78..0d88900b6 100644
--- a/wrappers/systemd.template.service.in
+++ b/wrappers/systemd.template.service.in
@@ -40,5 +40,5 @@ ExecStart=@sbindir@/ns-slapd -D @instconfigdir@/slapd-%i -i @localstatedir@/run/
.include @initconfigdir@/@package_name@.systemd
[Install]
-WantedBy=dirsrv.target
+WantedBy=multi-user.target
--
2.13.6

245
SOURCES/0013-Ticket-49076-To-debug-DB_DEADLOCK-condition-allow-to.patch
View file

@ -1,245 +0,0 @@
From 1a66f5f232d6c2869ef4e439eafe5a820f61a976 Mon Sep 17 00:00:00 2001
From: Thierry Bordaz <tbordaz@redhat.com>
Date: Wed, 15 Feb 2017 11:31:27 +0100
Subject: [PATCH] Ticket 49076 - To debug DB_DEADLOCK condition, allow to reset
DB_TXN_NOWAIT flag on txn_begin
Bug Description:
For debug reason it is interesting to have a new configuration ldbm backend config
option (nsslapd-db-transaction-wait) that allows to hang on deadlock
rather to let the server handling retries.
Fix Description:
The fix introduce a new attribute nsslapd-db-transaction-wait under
"cn=config,cn=ldbm database,cn=plugins,cn=config".
By default it is "off" (ldbm returns DB_DEADLOCK) and can be changed
online.
It is taken into account when a new transcation begin.
https://pagure.io/389-ds-base/issue/49076
Reviewed by: William Brown, Ludwig Krispenz
Platforms tested: F23
Flag Day: no
Doc impact: no
---
dirsrvtests/tests/tickets/ticket49076_test.py | 103 ++++++++++++++++++++++++++
ldap/servers/slapd/back-ldbm/dblayer.c | 9 ++-
ldap/servers/slapd/back-ldbm/dblayer.h | 3 +
ldap/servers/slapd/back-ldbm/ldbm_config.c | 22 ++++++
ldap/servers/slapd/back-ldbm/ldbm_config.h | 1 +
5 files changed, 137 insertions(+), 1 deletion(-)
create mode 100644 dirsrvtests/tests/tickets/ticket49076_test.py
diff --git a/dirsrvtests/tests/tickets/ticket49076_test.py b/dirsrvtests/tests/tickets/ticket49076_test.py
new file mode 100644
index 0000000..c4a2c1b
--- /dev/null
+++ b/dirsrvtests/tests/tickets/ticket49076_test.py
@@ -0,0 +1,103 @@
+import time
+import ldap
+import logging
+import pytest
+from lib389 import DirSrv, Entry, tools, tasks
+from lib389.tools import DirSrvTools
+from lib389._constants import *
+from lib389.properties import *
+from lib389.tasks import *
+from lib389.utils import *
+from lib389.topologies import topology_st as topo
+
+DEBUGGING = os.getenv("DEBUGGING", default=False)
+if DEBUGGING:
+ logging.getLogger(__name__).setLevel(logging.DEBUG)
+else:
+ logging.getLogger(__name__).setLevel(logging.INFO)
+log = logging.getLogger(__name__)
+
+ldbm_config = "cn=config,%s" % (DN_LDBM)
+txn_begin_flag = "nsslapd-db-transaction-wait"
+TEST_USER_DN = 'cn=test,%s' % SUFFIX
+TEST_USER = "test"
+
+def _check_configured_value(topology_st, attr=txn_begin_flag, expected_value=None, required=False):
+ entries = topology_st.standalone.search_s(ldbm_config, ldap.SCOPE_BASE, 'cn=config')
+ if required:
+ assert (entries[0].hasValue(attr))
+ if entries[0].hasValue(attr):
+ topology_st.standalone.log.info('Current value is %s' % entries[0].getValue(attr))
+ assert (entries[0].getValue(attr) == expected_value)
+
+def _update_db(topology_st):
+ topology_st.standalone.add_s(
+ Entry((TEST_USER_DN, {'objectclass': "top person organizationalPerson inetOrgPerson".split(),
+ 'cn': TEST_USER,
+ 'sn': TEST_USER,
+ 'givenname': TEST_USER})))
+ topology_st.standalone.delete_s(TEST_USER_DN)
+
+def test_ticket49076(topo):
+ """Write your testcase here...
+
+ Also, if you need any testcase initialization,
+ please, write additional fixture for that(include finalizer).
+ """
+
+ # check default value is DB_TXN_NOWAIT
+ _check_configured_value(topo, expected_value="off")
+
+ # tests we are able to update DB
+ _update_db(topo)
+
+ # switch to wait mode
+ topo.standalone.modify_s(ldbm_config,
+ [(ldap.MOD_REPLACE, txn_begin_flag, "on")])
+ # check default value is DB_TXN_NOWAIT
+ _check_configured_value(topo, expected_value="on")
+ _update_db(topo)
+
+
+ # switch back to "normal mode"
+ topo.standalone.modify_s(ldbm_config,
+ [(ldap.MOD_REPLACE, txn_begin_flag, "off")])
+ # check default value is DB_TXN_NOWAIT
+ _check_configured_value(topo, expected_value="off")
+ # tests we are able to update DB
+ _update_db(topo)
+
+ # check that settings are not reset by restart
+ topo.standalone.modify_s(ldbm_config,
+ [(ldap.MOD_REPLACE, txn_begin_flag, "on")])
+ # check default value is DB_TXN_NOWAIT
+ _check_configured_value(topo, expected_value="on")
+ _update_db(topo)
+ topo.standalone.restart(timeout=10)
+ _check_configured_value(topo, expected_value="on")
+ _update_db(topo)
+
+ # switch default value
+ topo.standalone.modify_s(ldbm_config,
+ [(ldap.MOD_DELETE, txn_begin_flag, None)])
+ # check default value is DB_TXN_NOWAIT
+ _check_configured_value(topo, expected_value="off")
+ # tests we are able to update DB
+ _update_db(topo)
+ topo.standalone.restart(timeout=10)
+ _check_configured_value(topo, expected_value="off")
+ # tests we are able to update DB
+ _update_db(topo)
+
+
+ if DEBUGGING:
+ # Add debugging steps(if any)...
+ pass
+
+
+if __name__ == '__main__':
+ # Run isolated
+ # -s for DEBUG mode
+ CURRENT_FILE = os.path.realpath(__file__)
+ pytest.main("-s %s" % CURRENT_FILE)
+
diff --git a/ldap/servers/slapd/back-ldbm/dblayer.c b/ldap/servers/slapd/back-ldbm/dblayer.c
index 683994f..507a3cc 100644
--- a/ldap/servers/slapd/back-ldbm/dblayer.c
+++ b/ldap/servers/slapd/back-ldbm/dblayer.c
@@ -3374,6 +3374,8 @@ dblayer_txn_begin_ext(struct ldbminfo *li, back_txnid parent_txn, back_txn *txn,
if (priv->dblayer_enable_transactions)
{
+ int txn_begin_flags;
+
dblayer_private_env *pEnv = priv->dblayer_env;
if(use_lock) slapi_rwlock_rdlock(pEnv->dblayer_env_lock);
if (!parent_txn)
@@ -3383,11 +3385,16 @@ dblayer_txn_begin_ext(struct ldbminfo *li, back_txnid parent_txn, back_txn *txn,
if (par_txn_txn) {
parent_txn = par_txn_txn->back_txn_txn;
}
+ }
+ if (priv->dblayer_txn_wait) {
+ txn_begin_flags = 0;
+ } else {
+ txn_begin_flags = DB_TXN_NOWAIT;
}
return_value = TXN_BEGIN(pEnv->dblayer_DB_ENV,
(DB_TXN*)parent_txn,
&new_txn.back_txn_txn,
- DB_TXN_NOWAIT);
+ txn_begin_flags);
if (0 != return_value)
{
if(use_lock) slapi_rwlock_unlock(priv->dblayer_env->dblayer_env_lock);
diff --git a/ldap/servers/slapd/back-ldbm/dblayer.h b/ldap/servers/slapd/back-ldbm/dblayer.h
index e02e6e0..e4307fc 100644
--- a/ldap/servers/slapd/back-ldbm/dblayer.h
+++ b/ldap/servers/slapd/back-ldbm/dblayer.h
@@ -104,6 +104,9 @@ struct dblayer_private
* the mpool */
int dblayer_recovery_required;
int dblayer_enable_transactions;
+ int dblayer_txn_wait; /* Default is "off" (DB_TXN_NOWAIT) but for
+ * support purpose it could be helpful to set
+ * "on" so that backend hang on deadlock */
int dblayer_durable_transactions;
int dblayer_checkpoint_interval;
int dblayer_circular_logging;
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_config.c b/ldap/servers/slapd/back-ldbm/ldbm_config.c
index 8541224..dfe7a13 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_config.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_config.c
@@ -636,6 +636,27 @@ static int ldbm_config_db_transaction_logging_set(void *arg, void *value, char *
return retval;
}
+
+static void *ldbm_config_db_transaction_wait_get(void *arg)
+{
+ struct ldbminfo *li = (struct ldbminfo *) arg;
+
+ return (void *) ((uintptr_t)li->li_dblayer_private->dblayer_txn_wait);
+}
+
+static int ldbm_config_db_transaction_wait_set(void *arg, void *value, char *errorbuf, int phase, int apply)
+{
+ struct ldbminfo *li = (struct ldbminfo *) arg;
+ int retval = LDAP_SUCCESS;
+ int val = (int) ((uintptr_t)value);
+
+ if (apply) {
+ li->li_dblayer_private->dblayer_txn_wait = val;
+ }
+
+ return retval;
+}
+
static void *ldbm_config_db_logbuf_size_get(void *arg)
{
struct ldbminfo *li = (struct ldbminfo *) arg;
@@ -1517,6 +1538,7 @@ static config_info ldbm_config[] = {
{CONFIG_DB_DURABLE_TRANSACTIONS, CONFIG_TYPE_ONOFF, "on", &ldbm_config_db_durable_transactions_get, &ldbm_config_db_durable_transactions_set, CONFIG_FLAG_ALWAYS_SHOW},
{CONFIG_DB_CIRCULAR_LOGGING, CONFIG_TYPE_ONOFF, "on", &ldbm_config_db_circular_logging_get, &ldbm_config_db_circular_logging_set, 0},
{CONFIG_DB_TRANSACTION_LOGGING, CONFIG_TYPE_ONOFF, "on", &ldbm_config_db_transaction_logging_get, &ldbm_config_db_transaction_logging_set, 0},
+ {CONFIG_DB_TRANSACTION_WAIT, CONFIG_TYPE_ONOFF, "off", &ldbm_config_db_transaction_wait_get, &ldbm_config_db_transaction_wait_set, CONFIG_FLAG_ALWAYS_SHOW|CONFIG_FLAG_ALLOW_RUNNING_CHANGE},
{CONFIG_DB_CHECKPOINT_INTERVAL, CONFIG_TYPE_INT, "60", &ldbm_config_db_checkpoint_interval_get, &ldbm_config_db_checkpoint_interval_set, CONFIG_FLAG_ALWAYS_SHOW|CONFIG_FLAG_ALLOW_RUNNING_CHANGE},
{CONFIG_DB_COMPACTDB_INTERVAL, CONFIG_TYPE_INT, "2592000"/*30days*/, &ldbm_config_db_compactdb_interval_get, &ldbm_config_db_compactdb_interval_set, CONFIG_FLAG_ALWAYS_SHOW|CONFIG_FLAG_ALLOW_RUNNING_CHANGE},
{CONFIG_DB_TRANSACTION_BATCH, CONFIG_TYPE_INT, "0", &dblayer_get_batch_transactions, &dblayer_set_batch_transactions, CONFIG_FLAG_ALWAYS_SHOW|CONFIG_FLAG_ALLOW_RUNNING_CHANGE},
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_config.h b/ldap/servers/slapd/back-ldbm/ldbm_config.h
index f481937..ddec3a8 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_config.h
+++ b/ldap/servers/slapd/back-ldbm/ldbm_config.h
@@ -80,6 +80,7 @@ struct config_info {
#define CONFIG_DB_DURABLE_TRANSACTIONS "nsslapd-db-durable-transaction"
#define CONFIG_DB_CIRCULAR_LOGGING "nsslapd-db-circular-logging"
#define CONFIG_DB_TRANSACTION_LOGGING "nsslapd-db-transaction-logging"
+#define CONFIG_DB_TRANSACTION_WAIT "nsslapd-db-transaction-wait"
#define CONFIG_DB_CHECKPOINT_INTERVAL "nsslapd-db-checkpoint-interval"
#define CONFIG_DB_COMPACTDB_INTERVAL "nsslapd-db-compactdb-interval"
#define CONFIG_DB_TRANSACTION_BATCH "nsslapd-db-transaction-batch-val"
--
2.9.3

50
SOURCES/0013-Ticket-49392-memavailable-not-available.patch Normal file
View file

@ -0,0 +1,50 @@
From 9369164f45ba19519158286590aaefae1c64ef05 Mon Sep 17 00:00:00 2001
From: William Brown <firstyear@redhat.com>
Date: Thu, 5 Oct 2017 09:54:48 +1000
Subject: [PATCH] Ticket 49392 - memavailable not available
Bug Description: On certain linux platforms memAvailable is
not actually available! This means that the value was 0, so
cgroup max was read instead, setting the system ram to:
9223372036854771712
That's a bit excessive, and can cause memory allocations to fail.
Fix Description: If memavail can't be found, fall back to
memtotal instead.
https://pagure.io/389-ds-base/issue/49392
Author: wibrown
Review by: mreynolds (Thanks!)
---
ldap/servers/slapd/slapi_pal.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/ldap/servers/slapd/slapi_pal.c b/ldap/servers/slapd/slapi_pal.c
index 38c178cfa..600d03d4d 100644
--- a/ldap/servers/slapd/slapi_pal.c
+++ b/ldap/servers/slapd/slapi_pal.c
@@ -155,7 +155,16 @@ spal_meminfo_get()
/* Both memtotal and memavail are in kb */
memtotal = memtotal * 1024;
- memavail = memavail * 1024;
+
+ /*
+ * Oracle Enterprise Linux doesn't provide a valid memavail value, so fall
+ * back to 80% of memtotal.
+ */
+ if (memavail == 0) {
+ memavail = memtotal * 0.8;
+ } else {
+ memavail = memavail * 1024;
+ }
/* If it's possible, get our cgroup info */
uint64_t cg_mem_soft = 0;
--
2.13.6

244
SOURCES/0014-Issue-49192-Deleting-suffix-can-hang-server.patch
View file

@ -1,244 +0,0 @@
From 353955ba9b4c487e30315d39d1880b6b784817d2 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 27 Mar 2017 10:59:40 -0400
Subject: [PATCH] Issue 49192 - Deleting suffix can hang server
Description: If you attempt to bind as an inactive user the backend rwlock
is not unlocked. Regression introduced from issue 49051.
https://pagure.io/389-ds-base/issue/49192
Reviewed by: nhosoi(Thanks!)
---
dirsrvtests/tests/tickets/ticket49192_test.py | 177 ++++++++++++++++++++++++++
ldap/servers/slapd/bind.c | 3 -
ldap/servers/slapd/pw_verify.c | 8 +-
3 files changed, 179 insertions(+), 9 deletions(-)
create mode 100644 dirsrvtests/tests/tickets/ticket49192_test.py
diff --git a/dirsrvtests/tests/tickets/ticket49192_test.py b/dirsrvtests/tests/tickets/ticket49192_test.py
new file mode 100644
index 0000000..f770ba7
--- /dev/null
+++ b/dirsrvtests/tests/tickets/ticket49192_test.py
@@ -0,0 +1,177 @@
+import time
+import ldap
+import logging
+import pytest
+from lib389 import Entry
+from lib389._constants import *
+from lib389.properties import *
+from lib389.tasks import *
+from lib389.utils import *
+from lib389.topologies import topology_st as topo
+
+DEBUGGING = os.getenv("DEBUGGING", default=False)
+if DEBUGGING:
+ logging.getLogger(__name__).setLevel(logging.DEBUG)
+else:
+ logging.getLogger(__name__).setLevel(logging.INFO)
+log = logging.getLogger(__name__)
+
+INDEX_DN = 'cn=index,cn=Second_Backend,cn=ldbm database,cn=plugins,cn=config'
+SUFFIX_DN = 'cn=Second_Backend,cn=ldbm database,cn=plugins,cn=config'
+MY_SUFFIX = "o=hang.com"
+USER_DN = 'uid=user,' + MY_SUFFIX
+
+
+def test_ticket49192(topo):
+ """Trigger deadlock when removing suffix
+ """
+
+ #
+ # Create a second suffix/backend
+ #
+ log.info('Creating second backend...')
+ topo.standalone.backends.create(None, properties={
+ BACKEND_NAME: "Second_Backend",
+ 'suffix': "o=hang.com",
+ })
+ try:
+ topo.standalone.add_s(Entry(("o=hang.com", {
+ 'objectclass': 'top organization'.split(),
+ 'o': 'hang.com'})))
+ except ldap.LDAPError as e:
+ log.fatal('Failed to create 2nd suffix: error ' + e.message['desc'])
+ assert False
+
+ #
+ # Add roles
+ #
+ log.info('Adding roles...')
+ try:
+ topo.standalone.add_s(Entry(('cn=nsManagedDisabledRole,' + MY_SUFFIX, {
+ 'objectclass': ['top', 'LdapSubEntry',
+ 'nsRoleDefinition',
+ 'nsSimpleRoleDefinition',
+ 'nsManagedRoleDefinition'],
+ 'cn': 'nsManagedDisabledRole'})))
+ except ldap.LDAPError as e:
+ log.fatal('Failed to add managed role: error ' + e.message['desc'])
+ assert False
+
+ try:
+ topo.standalone.add_s(Entry(('cn=nsDisabledRole,' + MY_SUFFIX, {
+ 'objectclass': ['top', 'LdapSubEntry',
+ 'nsRoleDefinition',
+ 'nsComplexRoleDefinition',
+ 'nsNestedRoleDefinition'],
+ 'cn': 'nsDisabledRole',
+ 'nsRoledn': 'cn=nsManagedDisabledRole,' + MY_SUFFIX})))
+ except ldap.LDAPError as e:
+ log.fatal('Failed to add nested role: error ' + e.message['desc'])
+ assert False
+
+ try:
+ topo.standalone.add_s(Entry(('cn=nsAccountInactivationTmp,' + MY_SUFFIX, {
+ 'objectclass': ['top', 'nsContainer'],
+ 'cn': 'nsAccountInactivationTmp'})))
+ except ldap.LDAPError as e:
+ log.fatal('Failed to add container: error ' + e.message['desc'])
+ assert False
+
+ try:
+ topo.standalone.add_s(Entry(('cn=\"cn=nsDisabledRole,' + MY_SUFFIX + '\",cn=nsAccountInactivationTmp,' + MY_SUFFIX, {
+ 'objectclass': ['top', 'extensibleObject', 'costemplate',
+ 'ldapsubentry'],
+ 'nsAccountLock': 'true'})))
+ except ldap.LDAPError as e:
+ log.fatal('Failed to add cos1: error ' + e.message['desc'])
+ assert False
+
+ try:
+ topo.standalone.add_s(Entry(('cn=nsAccountInactivation_cos,' + MY_SUFFIX, {
+ 'objectclass': ['top', 'LdapSubEntry', 'cosSuperDefinition',
+ 'cosClassicDefinition'],
+ 'cn': 'nsAccountInactivation_cos',
+ 'cosTemplateDn': 'cn=nsAccountInactivationTmp,' + MY_SUFFIX,
+ 'cosSpecifier': 'nsRole',
+ 'cosAttribute': 'nsAccountLock operational'})))
+ except ldap.LDAPError as e:
+ log.fatal('Failed to add cos2 : error ' + e.message['desc'])
+ assert False
+
+ #
+ # Add test entry
+ #
+ try:
+ topo.standalone.add_s(Entry((USER_DN, {
+ 'objectclass': 'top extensibleObject'.split(),
+ 'uid': 'user',
+ 'userpassword': 'password',
+ })))
+ except ldap.LDAPError as e:
+ log.fatal('Failed to add user: error ' + e.message['desc'])
+ assert False
+
+ #
+ # Inactivate the user account
+ #
+ try:
+ topo.standalone.modify_s(USER_DN,
+ [(ldap.MOD_ADD,
+ 'nsRoleDN',
+ 'cn=nsManagedDisabledRole,' + MY_SUFFIX)])
+ except ldap.LDAPError as e:
+ log.fatal('Failed to disable user: error ' + e.message['desc'])
+ assert False
+
+ time.sleep(1)
+
+ # Bind as user (should fail)
+ try:
+ topo.standalone.simple_bind_s(USER_DN, 'password')
+ log.error("Bind incorrectly worked")
+ assert False
+ except ldap.UNWILLING_TO_PERFORM:
+ log.info('Got error 53 as expected')
+ except ldap.LDAPError as e:
+ log.fatal('Bind has unexpected error ' + e.message['desc'])
+ assert False
+
+ # Bind as root DN
+ try:
+ topo.standalone.simple_bind_s(DN_DM, PASSWORD)
+ except ldap.LDAPError as e:
+ log.fatal('RootDN Bind has unexpected error ' + e.message['desc'])
+ assert False
+
+ #
+ # Delete suffix
+ #
+ log.info('Delete the suffix and children...')
+ try:
+ index_entries = topo.standalone.search_s(
+ SUFFIX_DN, ldap.SCOPE_SUBTREE, 'objectclass=top')
+ except ldap.LDAPError as e:
+ log.error('Failed to search: %s - error %s' % (SUFFIX_DN, str(e)))
+
+ for entry in reversed(index_entries):
+ try:
+ log.info("Deleting: " + entry.dn)
+ if entry.dn != SUFFIX_DN and entry.dn != INDEX_DN:
+ topo.standalone.search_s(entry.dn,
+ ldap.SCOPE_ONELEVEL,
+ 'objectclass=top')
+ topo.standalone.delete_s(entry.dn)
+ except ldap.LDAPError as e:
+ log.fatal('Failed to delete entry: %s - error %s' %
+ (entry.dn, str(e)))
+ assert False
+
+ log.info("Test Passed")
+
+
+if __name__ == '__main__':
+ # Run isolated
+ # -s for DEBUG mode
+ CURRENT_FILE = os.path.realpath(__file__)
+ pytest.main("-s %s" % CURRENT_FILE)
+
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
index 5c4fada..f83df7d 100644
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -771,9 +771,6 @@ do_bind( Slapi_PBlock *pb )
/* need_new_pw failed; need_new_pw already send_ldap_result in it. */
goto free_and_return;
}
- if (be) {
- slapi_be_Unlock(be);
- }
} else { /* anonymous */
/* set bind creds here so anonymous limits are set */
bind_credentials_set(pb->pb_conn, authtype, NULL, NULL, NULL, NULL, NULL);
diff --git a/ldap/servers/slapd/pw_verify.c b/ldap/servers/slapd/pw_verify.c
index a9fd9ec..852b027 100644
--- a/ldap/servers/slapd/pw_verify.c
+++ b/ldap/servers/slapd/pw_verify.c
@@ -50,8 +50,6 @@ pw_verify_root_dn(const char *dn, const Slapi_Value *cred)
*
* In the future, this will use the credentials and do mfa.
*
- * If you get SLAPI_BIND_SUCCESS or SLAPI_BIND_ANONYMOUS you need to unlock
- * the backend.
* All other results, it's already released.
*/
int
@@ -81,10 +79,8 @@ pw_verify_be_dn(Slapi_PBlock *pb, Slapi_Entry **referral)
set_db_default_result_handlers(pb);
/* now take the dn, and check it */
rc = (*be->be_bind)(pb);
- /* now attempt the bind. */
- if (rc != SLAPI_BIND_SUCCESS && rc != SLAPI_BIND_ANONYMOUS) {
- slapi_be_Unlock(be);
- }
+ slapi_be_Unlock(be);
+
return rc;
}
--
2.9.3

91
SOURCES/0014-Ticket-48006-Missing-warning-for-invalid-replica-bac.patch Normal file
View file

@ -0,0 +1,91 @@
From 73c72aba0ab31f9d16cdfd8879e9da5f3fb985e0 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 17 Oct 2017 12:39:18 -0400
Subject: [PATCH] Ticket 48006 - Missing warning for invalid replica backoff
configuration
Description: Add warning if you try to set a min backoff time that is
greater than the configured maximum, or the max time that
is less than the minimum.
Also fixed compiler warning in ldbm_config.c
https://pagure.io/389-ds-base/issue/48006
Reviewed by: firstyear(Thanks!)
(cherry picked from commit e123acb6987c75f6d7282b32c4f279b976eb6f5e)
---
.../plugins/replication/repl5_replica_config.c | 24 ++++++++++++++++++++--
ldap/servers/slapd/back-ldbm/ldbm_config.c | 2 +-
2 files changed, 23 insertions(+), 3 deletions(-)
diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c
index f28044c19..22d766143 100644
--- a/ldap/servers/plugins/replication/repl5_replica_config.c
+++ b/ldap/servers/plugins/replication/repl5_replica_config.c
@@ -465,7 +465,8 @@ replica_config_modify(Slapi_PBlock *pb,
}
} else if (strcasecmp(config_attr, type_replicaBackoffMin) == 0) {
if (apply_mods) {
- PRUint64 val = atoll(config_attr_value);
+ uint64_t val = atoll(config_attr_value);
+ uint64_t max;
if (val <= 0) {
*returncode = LDAP_UNWILLING_TO_PERFORM;
@@ -475,11 +476,21 @@ replica_config_modify(Slapi_PBlock *pb,
slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext);
break;
}
+ max = replica_get_backoff_max(r);
+ if (val > max){
+ *returncode = LDAP_UNWILLING_TO_PERFORM;
+ PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE,
+ "Attribute %s value (%s) is invalid, must be a number less than the max backoff time (%d).\n",
+ config_attr, config_attr_value, (int)max);
+ slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext);
+ break;
+ }
replica_set_backoff_min(r, val);
}
} else if (strcasecmp(config_attr, type_replicaBackoffMax) == 0) {
if (apply_mods) {
- PRUint64 val = atoll(config_attr_value);
+ uint64_t val = atoll(config_attr_value);
+ uint64_t min;
if (val <= 0) {
*returncode = LDAP_UNWILLING_TO_PERFORM;
@@ -490,6 +501,15 @@ replica_config_modify(Slapi_PBlock *pb,
errortext);
break;
}
+ min = replica_get_backoff_min(r);
+ if (val < min) {
+ *returncode = LDAP_UNWILLING_TO_PERFORM;
+ PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE,
+ "Attribute %s value (%s) is invalid, must be a number more than the min backoff time (%d).\n",
+ config_attr, config_attr_value, (int)min);
+ slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext);
+ break;
+ }
replica_set_backoff_max(r, val);
}
} else if (strcasecmp(config_attr, type_replicaPrecisePurge) == 0) {
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_config.c b/ldap/servers/slapd/back-ldbm/ldbm_config.c
index 2ef4652ce..feb993366 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_config.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_config.c
@@ -388,7 +388,7 @@ ldbm_config_directory_set(void *arg, void *value, char *errorbuf, int phase, int
goto done;
}
slapi_pblock_destroy(search_pb);
- if (NULL == s || '\0' == s || 0 == PL_strcmp(s, "(null)")) {
+ if (NULL == s || '\0' == *s || 0 == PL_strcmp(s, "(null)")) {
slapi_log_err(SLAPI_LOG_ERR,
"ldbm_config_directory_set", "db directory is not set; check %s in the db config: %s\n",
CONFIG_DIRECTORY, CONFIG_LDBM_DN);
--
2.13.6

200
SOURCES/0015-Ticket-49174-nunc-stans-can-not-use-negative-timeout.patch
View file

@ -1,200 +0,0 @@
From 4f90e73538f1faf101733fcd95392bb77ba9467c Mon Sep 17 00:00:00 2001
From: William Brown <firstyear@redhat.com>
Date: Wed, 22 Mar 2017 14:10:11 +1000
Subject: [PATCH] Ticket 49174 - nunc-stans can not use negative timeout
Bug Description: FreeIPA regularly sets up service accounts with
an nsIdleTimeout of -1. As a result of an issue with NS and libevent
this would cause an instant timeout and disconnect of the service
account.
Fix Description: Correctly check that jobs are registered to NS.
Add validation to NS for negative timeouts. During the job registration,
we force the timeout to be a valid value.
https://pagure.io/389-ds-base/issue/49174
Author: wibrown
Review by: mreynolds(Thanks!!!)
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
---
ldap/servers/slapd/daemon.c | 39 ++++++++++++++++++++++++++++-------
src/nunc-stans/ns/ns_event_fw_event.c | 8 -------
src/nunc-stans/ns/ns_thrpool.c | 16 ++++++++++++++
src/nunc-stans/test/test_nuncstans.c | 20 ++++++++++++++++++
4 files changed, 68 insertions(+), 15 deletions(-)
diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
index e17a858..a4ea4c0 100644
--- a/ldap/servers/slapd/daemon.c
+++ b/ldap/servers/slapd/daemon.c
@@ -1891,15 +1891,32 @@ ns_connection_post_io_or_closing(Connection *conn)
tv.tv_usec = slapd_wakeup_timer * 1000;
conn->c_ns_close_jobs++; /* now 1 active closure job */
connection_acquire_nolock_ext(conn, 1 /* allow acquire even when closing */); /* event framework now has a reference */
- ns_add_timeout_job(conn->c_tp, &tv, NS_JOB_TIMER,
+ PRStatus job_result = ns_add_timeout_job(conn->c_tp, &tv, NS_JOB_TIMER,
ns_handle_closure, conn, NULL);
- slapi_log_err(SLAPI_LOG_CONNS, "ns_connection_post_io_or_closing", "post closure job "
- "for conn %" NSPRIu64 " for fd=%d\n", conn->c_connid, conn->c_sd);
+#ifdef DEBUG
+ PR_ASSERT(job_result == PR_SUCCESS);
+#endif
+ if (job_result != PR_SUCCESS) {
+ slapi_log_err(SLAPI_LOG_WARNING, "ns_connection_post_io_or_closing", "post closure job "
+ "for conn %" NSPRIu64 " for fd=%d failed to be added to event queue\n", conn->c_connid, conn->c_sd);
+ } else {
+ slapi_log_err(SLAPI_LOG_CONNS, "ns_connection_post_io_or_closing", "post closure job "
+ "for conn %" NSPRIu64 " for fd=%d\n", conn->c_connid, conn->c_sd);
+ }
}
} else {
/* process event normally - wait for I/O until idletimeout */
- tv.tv_sec = conn->c_idletimeout;
+ /* With nunc-stans there is a quirk. When we have idleTimeout of -1
+ * which is set on some IPA bind dns for infinite, this causes libevent
+ * to *instantly* timeout. So if we detect < 0, we set 0 to this timeout, to
+ * catch all possible times that an admin could set.
+ */
+ if (conn->c_idletimeout < 0) {
+ tv.tv_sec = 0;
+ } else {
+ tv.tv_sec = conn->c_idletimeout;
+ }
tv.tv_usec = 0;
#ifdef DEBUG
PR_ASSERT(0 == connection_acquire_nolock(conn));
@@ -1913,11 +1930,19 @@ ns_connection_post_io_or_closing(Connection *conn)
return;
}
#endif
- ns_add_io_timeout_job(conn->c_tp, conn->c_prfd, &tv,
+ PRStatus job_result = ns_add_io_timeout_job(conn->c_tp, conn->c_prfd, &tv,
NS_JOB_READ|NS_JOB_PRESERVE_FD,
ns_handle_pr_read_ready, conn, NULL);
- slapi_log_err(SLAPI_LOG_CONNS, "ns_connection_post_io_or_closing", "post I/O job for "
- "conn %" NSPRIu64 " for fd=%d\n", conn->c_connid, conn->c_sd);
+#ifdef DEBUG
+ PR_ASSERT(job_result == PR_SUCCESS);
+#endif
+ if (job_result != PR_SUCCESS) {
+ slapi_log_err(SLAPI_LOG_WARNING, "ns_connection_post_io_or_closing", "post I/O job for "
+ "conn %" NSPRIu64 " for fd=%d failed to be added to event queue\n", conn->c_connid, conn->c_sd);
+ } else {
+ slapi_log_err(SLAPI_LOG_CONNS, "ns_connection_post_io_or_closing", "post I/O job for "
+ "conn %" NSPRIu64 " for fd=%d\n", conn->c_connid, conn->c_sd);
+ }
}
#endif
}
diff --git a/src/nunc-stans/ns/ns_event_fw_event.c b/src/nunc-stans/ns/ns_event_fw_event.c
index 3acbaf7..76936de 100644
--- a/src/nunc-stans/ns/ns_event_fw_event.c
+++ b/src/nunc-stans/ns/ns_event_fw_event.c
@@ -48,7 +48,6 @@ typedef struct event ns_event_fw_sig_t;
#include "ns_event_fw.h"
#include <syslog.h>
-
static void
event_logger_cb(int severity, const char *msg)
{
@@ -248,13 +247,6 @@ ns_event_fw_mod_io(
}
if (events) {
job->ns_event_fw_fd->ev_events = events;
-
-#ifdef DEBUG_FSM
- /* REALLY make sure that we aren't being re-added */
- if (event_pending(job->ns_event_fw_fd, events, tv)) {
- abort();
- }
-#endif
event_add(job->ns_event_fw_fd, tv);
} else {
/* setting the job_type to remove IO events will remove it from the event system */
diff --git a/src/nunc-stans/ns/ns_thrpool.c b/src/nunc-stans/ns/ns_thrpool.c
index a867b39..9d87384 100644
--- a/src/nunc-stans/ns/ns_thrpool.c
+++ b/src/nunc-stans/ns/ns_thrpool.c
@@ -180,6 +180,14 @@ ns_thrpool_is_event_shutdown(struct ns_thrpool_t *tp)
return result;
}
+static int32_t
+validate_event_timeout(struct timeval *tv) {
+ if (tv->tv_sec < 0 || tv->tv_usec < 0) {
+ /* If we get here, you have done something WRONG */
+ return 1;
+ }
+ return 0;
+}
static void
job_queue_cleanup(void *arg) {
@@ -864,6 +872,10 @@ ns_add_timeout_job(ns_thrpool_t *tp, struct timeval *tv, ns_job_type_t job_type,
return PR_FAILURE;
}
+ if (validate_event_timeout(tv)) {
+ return PR_FAILURE;
+ }
+
/* get an event context for a timer job */
_job = alloc_timeout_context(tp, tv, job_type, func, data);
if (!_job) {
@@ -900,6 +912,10 @@ ns_add_io_timeout_job(ns_thrpool_t *tp, PRFileDesc *fd, struct timeval *tv,
return PR_FAILURE;
}
+ if (validate_event_timeout(tv)) {
+ return PR_FAILURE;
+ }
+
/* Don't allow an accept job to be run outside of the event thread.
* We do this so a listener job won't shut down while still processing
* current connections in other threads.
diff --git a/src/nunc-stans/test/test_nuncstans.c b/src/nunc-stans/test/test_nuncstans.c
index 8eef9e6..2795302 100644
--- a/src/nunc-stans/test/test_nuncstans.c
+++ b/src/nunc-stans/test/test_nuncstans.c
@@ -385,6 +385,23 @@ ns_job_signal_cb_test(void **state)
assert_int_equal(ns_job_done(job), 0);
}
+/*
+ * Test that given a timeout of -1, we fail to create a job.
+ */
+
+static void
+ns_job_neg_timeout_test(void **state)
+{
+ struct ns_thrpool_t *tp = *state;
+
+ struct timeval tv = { -1, 0 };
+
+ PR_ASSERT(PR_FAILURE == ns_add_io_timeout_job(tp, 0, &tv, NS_JOB_THREAD, ns_init_do_nothing_cb, NULL, NULL));
+
+ PR_ASSERT(PR_FAILURE == ns_add_timeout_job(tp, &tv, NS_JOB_THREAD, ns_init_do_nothing_cb, NULL, NULL));
+
+}
+
int
main(void)
{
@@ -410,6 +427,9 @@ main(void)
cmocka_unit_test_setup_teardown(ns_job_signal_cb_test,
ns_test_setup,
ns_test_teardown),
+ cmocka_unit_test_setup_teardown(ns_job_neg_timeout_test,
+ ns_test_setup,
+ ns_test_teardown),
};
return cmocka_run_group_tests(tests, NULL, NULL);
}
--
2.9.3

43
SOURCES/0015-Ticket-49408-Server-allows-to-set-any-nsds5replicaid.patch Normal file
View file

@ -0,0 +1,43 @@
From 4569da8f2c55d54a34f31312ee5756c70a7f463c Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Thu, 19 Oct 2017 17:33:10 -0400
Subject: [PATCH] Ticket 49408 - Server allows to set any nsds5replicaid in the
existing replica entry
Description: There was no value validation for replica ID. Now there is.
https://pagure.io/389-ds-base/issue/49408
Reviewed by: tbordaz(Thanks!)
(cherry picked from commit 296f0abb78b7ec82580d039d9c505506f6ce07be)
---
ldap/servers/plugins/replication/repl5_replica_config.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c
index 22d766143..7477a292c 100644
--- a/ldap/servers/plugins/replication/repl5_replica_config.c
+++ b/ldap/servers/plugins/replication/repl5_replica_config.c
@@ -411,6 +411,18 @@ replica_config_modify(Slapi_PBlock *pb,
slapi_ch_free_string(&new_repl_type);
new_repl_type = slapi_ch_strdup(config_attr_value);
} else if (strcasecmp(config_attr, attr_replicaId) == 0) {
+ char *endp = NULL;
+ int64_t rid = 0;
+ errno = 0;
+ rid = strtoll(config_attr_value, &endp, 10);
+ if (*endp != '\0' || rid > 65535 || rid < 1 || errno == ERANGE) {
+ *returncode = LDAP_UNWILLING_TO_PERFORM;
+ PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE,
+ "Attribute %s value (%s) is invalid, must be a number between 1 and 65535.\n",
+ config_attr, config_attr_value);
+ slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext);
+ break;
+ }
slapi_ch_free_string(&new_repl_id);
new_repl_id = slapi_ch_strdup(config_attr_value);
} else if (strcasecmp(config_attr, attr_flags) == 0) {
--
2.13.6

1366
SOURCES/0016-Issue-48989-Integer-overflow.patch
View file

File diff suppressed because it is too large Load diff

45
SOURCES/0016-Ticket-49408-Server-allows-to-set-any-nsds5replicaid.patch Normal file
View file

@ -0,0 +1,45 @@
From 70d236dedadc030fd2b450d7607b395b50523538 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Thu, 19 Oct 2017 17:02:20 -0400
Subject: [PATCH] Ticket 49407 - status-dirsrv shows ellipsed lines
Bug Description: To show the full output you have to pass "-l" to systemctl,
but there is no way to use this option with the current design.
Fix Description: Just show the full lines by default, as adding options can break
the script's current usage.
https://pagure.io/389-ds-base/issue/49407
Reviewed by: tbordaz(Thanks!)
(cherry picked from commit 45d2fd4b50227687ad042a0e17d8dcd9e4cd3023)
---
ldap/admin/src/scripts/status-dirsrv.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ldap/admin/src/scripts/status-dirsrv.in b/ldap/admin/src/scripts/status-dirsrv.in
index 90428990b..8e492c115 100755
--- a/ldap/admin/src/scripts/status-dirsrv.in
+++ b/ldap/admin/src/scripts/status-dirsrv.in
@@ -37,7 +37,7 @@ status_instance() {
# Use systemctl if available.
#
if [ -d "@systemdsystemunitdir@" ] && [ $(id -u) -eq 0 ];then
- @bindir@/systemctl status @package_name@@$SERV_ID.service
+ @bindir@/systemctl status @package_name@@$SERV_ID.service -l
rv=$?
if [ $rv -ne 0 ]; then
return 1
@@ -65,7 +65,7 @@ found=0
if [ $# -eq 0 ]; then
# We're reporting the status of all instances.
ret=0
- @bindir@/systemctl status @package_name@.target
+ @bindir@/systemctl status @package_name@.target -l
initfiles=`get_initconfig_files $initconfig_dir` || { echo No instances found in $initconfig_dir ; exit 1 ; }
for i in $initfiles; do
inst=`normalize_server_id $i`
--
2.13.6

38
SOURCES/0017-Issue-49035-dbmon.sh-shows-pages-in-use-that-exceeds.patch
View file

@ -1,38 +0,0 @@
From c14b2d88497724c4e19e5fae89bb40c95a61e1cb Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Thu, 30 Mar 2017 15:26:00 -0400
Subject: [PATCH] Issue 49035 - dbmon.sh shows pages-in-use that exceeds the
cache size
Bug Description: dbmon shows negative free cache stats because the pages-in-use exceeds
the expected size of the cache. This is because on caches smaller
than 500mb, libdb automatically increases the size by ~25%. The tool
is only checking the configured db cache size, and in this case its
actaully larger than what was conigured in dse.ldif.
Fix Description: dbmon.sh should use the libdb's "cache size in bytes", instead of
nsslapd-dbcachesize - as it could be different.
https://pagure.io/389-ds-base/issue/49035
Reviewed by: nhosoi & wibrown (Thanks!!)
---
ldap/admin/src/scripts/dbmon.sh.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ldap/admin/src/scripts/dbmon.sh.in b/ldap/admin/src/scripts/dbmon.sh.in
index 4ee6adc..46796e2 100644
--- a/ldap/admin/src/scripts/dbmon.sh.in
+++ b/ldap/admin/src/scripts/dbmon.sh.in
@@ -47,7 +47,7 @@ parseldif() {
}
/^[^ ]|^$/ {origline = $0; $0 = unwrapline; unwrapline = origline}
/^ / {sub(/^ /, ""); unwrapline = unwrapline $0; next}
- /^nsslapd-dbcachesize/ { dbcachesize=$2 }
+ /^nsslapd-db-cache-size-bytes/ { dbcachesize=$2 }
/^nsslapd-db-page-size/ { pagesize=$2 }
/^dbcachehitratio/ { dbhitratio=$2 }
/^dbcachepagein/ { dbcachepagein=$2 }
--
2.9.3

37
SOURCES/0017-Ticket-48681-Use-of-uninitialized-value-in-string-ne.patch Normal file
View file

@ -0,0 +1,37 @@
From b7cca69de5f6cda32bc38504a7aa7e5bc786bbe6 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Thu, 19 Oct 2017 14:44:38 -0400
Subject: [PATCH] Ticket 48681 - Use of uninitialized value in string ne at
/usr/bin/logconv.pl line 2565, <$LOGFH> line 4
Bug description: The original fix for 48681 added a regression in regards to perl
warning everytime you ran the script. That was due to a new hash
for sasl binds that was not initialized.
Fix Description: Check is the saslbind hash "exists" before checking its value.
https://pagure.io/389-ds-base/issue/48681
Reviewed by: mreynolds (one line fix)
(cherry picked from commit e46749b77d95ad8fedf07d38890573b2862badf7)
---
ldap/admin/src/logconv.pl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ldap/admin/src/logconv.pl b/ldap/admin/src/logconv.pl
index 4932db42e..473c71f21 100755
--- a/ldap/admin/src/logconv.pl
+++ b/ldap/admin/src/logconv.pl
@@ -2562,7 +2562,7 @@ sub parseLineNormal
if ($_ =~ /conn= *([0-9A-Z]+) +op= *([0-9\-]+)/i){
$conn = $1;
$op = $2;
- if ($hashes->{saslconnop}->{$conn-$op} ne ""){
+ if (exists $hashes->{saslconnop}->{$conn-$op} && $hashes->{saslconnop}->{$conn-$op} ne ""){
# This was a SASL BIND - record the dn
if ($binddn ne ""){
if($binddn eq $rootDN){ $rootDNBindCount++; }
--
2.13.6

56
SOURCES/0018-Issue-49177-Fix-pkg-config-file.patch
View file

@ -1,56 +0,0 @@
From a1c4718d9db069ab088914ec983af8125eba3ac6 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Fri, 31 Mar 2017 09:34:27 -0400
Subject: [PATCH] Issue 49177 - Fix pkg-config file
Description: Need to remove the slash in front of the package name
https://pagure.io/389-ds-base/issue/49177
Reviewed by: lslebodn & wibrown (Thanks!!)
---
Makefile.am | 4 ++--
configure.ac | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 982dd28..485a460 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -261,7 +261,7 @@ sampledatadir = $(datadir)@sampledatadir@
systemschemadir = $(datadir)@systemschemadir@
propertydir = $(datadir)@propertydir@
schemadir = $(sysconfdir)@schemadir@
-serverdir = $(libdir)@serverdir@
+serverdir = $(libdir)/@serverdir@
serverplugindir = $(libdir)@serverplugindir@
taskdir = $(datadir)@scripttemplatedir@
systemdsystemunitdir = @with_systemdsystemunitdir@
@@ -276,7 +276,7 @@ infdir = $(datadir)@infdir@
mibdir = $(datadir)@mibdir@
updatedir = $(datadir)@updatedir@
pkgconfigdir = $(libdir)/pkgconfig
-serverincdir = $(includedir)@serverincdir@
+serverincdir = $(includedir)/@serverincdir@
defaultuser=@defaultuser@
defaultgroup=@defaultgroup@
diff --git a/configure.ac b/configure.ac
index 8172bab..51c4414 100644
--- a/configure.ac
+++ b/configure.ac
@@ -361,9 +361,9 @@ else
# relative to datadir
updatedir=/$PACKAGE_NAME/updates
# relative to libdir
- serverdir=/$PACKAGE_NAME
+ serverdir=$PACKAGE_NAME
# relative to includedir
- serverincdir=/$PACKAGE_NAME
+ serverincdir=$PACKAGE_NAME
# relative to libdir
serverplugindir=/$PACKAGE_NAME/plugins
# relative to datadir
--
2.9.3

132
SOURCES/0018-Ticket-49374-server-fails-to-start-because-maxdisksi.patch Normal file
View file

@ -0,0 +1,132 @@
From 4ecec8dac601b77a25ebc390f138aad1ee48d805 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Thu, 19 Oct 2017 12:20:48 -0400
Subject: [PATCH] Ticket 49374 - server fails to start because maxdisksize is
recognized incorrectly
Bug Description: When directly editting dse.ldif, the server had a check
when setting the log maxdiskspace vs maxlogsize. If the
maxlogsize is processed first and it is higher than the
default maxdisksspace then it throw an error and the server
fails to start.
If you attempt this same operation using ldapmodify it
works as "live" updates check all the mods first, so the
order of the attributes does not matter.
Fix description: Remove the size checks from the attribute set function.
It is technically redundant since it is correctly checked
by the configdse code.
https://pagure.io/389-ds-base/issue/49374
Reviewed by: tbordaz(Thanks!)
(cherry picked from commit 63a0a59c9b09af08151831209ee6711b4363aee2)
---
ldap/servers/slapd/log.c | 60 ++++++++++++------------------------------------
1 file changed, 15 insertions(+), 45 deletions(-)
diff --git a/ldap/servers/slapd/log.c b/ldap/servers/slapd/log.c
index e16d89cc5..998efaef3 100644
--- a/ldap/servers/slapd/log.c
+++ b/ldap/servers/slapd/log.c
@@ -960,7 +960,6 @@ int
log_set_logsize(const char *attrname, char *logsize_str, int logtype, char *returntext, int apply)
{
int rv = LDAP_SUCCESS;
- PRInt64 mdiskspace = 0; /* in bytes */
PRInt64 max_logsize; /* in bytes */
int logsize; /* in megabytes */
slapdFrontendConfig_t *fe_cfg = getFrontendConfig();
@@ -979,72 +978,43 @@ log_set_logsize(const char *attrname, char *logsize_str, int logtype, char *retu
switch (logtype) {
case SLAPD_ACCESS_LOG:
- LOG_ACCESS_LOCK_WRITE();
- mdiskspace = loginfo.log_access_maxdiskspace;
- break;
- case SLAPD_ERROR_LOG:
- LOG_ERROR_LOCK_WRITE();
- mdiskspace = loginfo.log_error_maxdiskspace;
- break;
- case SLAPD_AUDIT_LOG:
- LOG_AUDIT_LOCK_WRITE();
- mdiskspace = loginfo.log_audit_maxdiskspace;
- break;
- case SLAPD_AUDITFAIL_LOG:
- LOG_AUDITFAIL_LOCK_WRITE();
- mdiskspace = loginfo.log_auditfail_maxdiskspace;
- break;
- default:
- PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: invalid logtype %d", attrname, logtype);
- rv = LDAP_OPERATIONS_ERROR;
- }
-
- if ((max_logsize > mdiskspace) && (mdiskspace != -1)) {
- rv = 2;
- }
-
- switch (logtype) {
- case SLAPD_ACCESS_LOG:
- if (!rv && apply) {
+ if (apply) {
+ LOG_ACCESS_LOCK_WRITE();
loginfo.log_access_maxlogsize = max_logsize;
fe_cfg->accesslog_maxlogsize = logsize;
+ LOG_ACCESS_UNLOCK_WRITE();
}
- LOG_ACCESS_UNLOCK_WRITE();
break;
case SLAPD_ERROR_LOG:
- if (!rv && apply) {
+ if (apply) {
+ LOG_ERROR_LOCK_WRITE();
loginfo.log_error_maxlogsize = max_logsize;
fe_cfg->errorlog_maxlogsize = logsize;
+ LOG_ERROR_UNLOCK_WRITE();
}
- LOG_ERROR_UNLOCK_WRITE();
break;
case SLAPD_AUDIT_LOG:
- if (!rv && apply) {
+ if (apply) {
+ LOG_AUDIT_LOCK_WRITE();
loginfo.log_audit_maxlogsize = max_logsize;
fe_cfg->auditlog_maxlogsize = logsize;
+ LOG_AUDIT_UNLOCK_WRITE();
}
- LOG_AUDIT_UNLOCK_WRITE();
break;
case SLAPD_AUDITFAIL_LOG:
- if (!rv && apply) {
+ if (apply) {
+ LOG_AUDITFAIL_LOCK_WRITE();
loginfo.log_auditfail_maxlogsize = max_logsize;
fe_cfg->auditfaillog_maxlogsize = logsize;
+ LOG_AUDITFAIL_UNLOCK_WRITE();
}
- LOG_AUDITFAIL_UNLOCK_WRITE();
break;
default:
- rv = 1;
- }
- /* logsize is in MB */
- if (rv == 2) {
- slapi_log_err(SLAPI_LOG_ERR, "log_set_logsize",
- "Invalid value for Maximum log size:"
- "Maxlogsize:%d (MB) exceeds Maxdisksize:%ld (MB)\n",
- logsize, (long int)(mdiskspace / LOG_MB_IN_BYTES));
-
+ PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
+ "%s: invalid logtype %d", attrname, logtype);
rv = LDAP_OPERATIONS_ERROR;
}
+
return rv;
}
--
2.13.6

1438
SOURCES/0019-Issue-49205-Fix-logconv.pl-man-page.patch
View file

File diff suppressed because it is too large Load diff

66
SOURCES/0019-Ticket-48681-Use-of-uninitialized-value-in-string-ne.patch Normal file
View file

@ -0,0 +1,66 @@
From ef4ac2d45c9ea99fbb1ae6cee97745161f193bf9 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Wed, 25 Oct 2017 10:53:28 -0400
Subject: [PATCH] Ticket 48681 - Use of uninitialized value in string ne at
/usr/bin/logconv.pl
Bug Description: ldapi connections were not properly porcessed by the
connection parsing code which lead to uninitialized errors.
Fix Description: Modify the connection IP address regex's to include "local"
https://pagure.io/389-ds-base/issue/48681
Reviewd by: mreynolds (one line commit rule)
(cherry picked from commit 6098e7b927b64ba300567e71ea611140c47676a1)
---
ldap/admin/src/logconv.pl | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/ldap/admin/src/logconv.pl b/ldap/admin/src/logconv.pl
index 473c71f21..e36386e11 100755
--- a/ldap/admin/src/logconv.pl
+++ b/ldap/admin/src/logconv.pl
@@ -809,9 +809,9 @@ if ($totalTimeInNsecs == 0){
print "Restarts: $serverRestartCount\n";
if(%cipher){
- print " Secure Protocol Versions:\n";
+ print "Secure Protocol Versions:\n";
foreach my $key (sort { $b cmp $a } keys %cipher) {
- print " - $key - $cipher{$key}\n";
+ print " - $key ($cipher{$key} connections)\n";
}
print "\n";
}
@@ -1754,7 +1754,7 @@ parseLineBind {
($end) = $endTime =~ /\D*(\S*)/;
}
}
- if ($_ =~ /connection from *([0-9A-Fa-f\.\:]+)/i ) {
+ if ($_ =~ /connection from *([0-9A-Za-z\.\:]+)/i ) {
my $skip = "yes";
for (my $excl =0; $excl < $#excludeIP; $excl++){
if ($excludeIP[$excl] eq $1){
@@ -2085,7 +2085,7 @@ sub parseLineNormal
}
if (m/ connection from/){
my $ip;
- if ($_ =~ /connection from *([0-9A-Fa-f\.\:]+)/i ){
+ if ($_ =~ /connection from *([0-9A-Za-z\.\:]+)/i ){
$ip = $1;
for (my $xxx =0; $xxx < $#excludeIP; $xxx++){
if ($excludeIP[$xxx] eq $ip){$exc = "yes";}
@@ -2253,7 +2253,7 @@ sub parseLineNormal
}
if ($usage =~ /g/ || $usage =~ /c/ || $usage =~ /i/ || $usage =~ /f/ || $usage =~ /u/ || $usage =~ /U/ || $verb eq "yes"){
$exc = "no";
- if ($_ =~ /connection from *([0-9A-fa-f\.\:]+)/i ) {
+ if ($_ =~ /connection from *([0-9A-Za-z\.\:]+)/i ) {
for (my $xxx = 0; $xxx < $#excludeIP; $xxx++){
if ($1 eq $excludeIP[$xxx]){
$exc = "yes";
--
2.13.6

121
SOURCES/0020-Issue-49039-password-min-age-should-be-ignored-if-pa.patch
View file

@ -1,121 +0,0 @@
From 578d207cd66e97e9ff8211559c62114a961e35a8 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 28 Mar 2017 14:21:47 -0400
Subject: [PATCH] Issue 49039 - password min age should be ignored if password
needs to be reset
Description: Do not check the password minimum age when changing a password
if the password "must" be reset.
https://pagure.io/389-ds-base/issue/49039
Reviewed by: firstyear(Thanks!)
---
dirsrvtests/tests/tickets/ticket49039_test.py | 79 +++++++++++++++++++++++++++
ldap/servers/slapd/modify.c | 4 +-
2 files changed, 81 insertions(+), 2 deletions(-)
create mode 100644 dirsrvtests/tests/tickets/ticket49039_test.py
diff --git a/dirsrvtests/tests/tickets/ticket49039_test.py b/dirsrvtests/tests/tickets/ticket49039_test.py
new file mode 100644
index 0000000..e6d4c03
--- /dev/null
+++ b/dirsrvtests/tests/tickets/ticket49039_test.py
@@ -0,0 +1,79 @@
+import time
+import ldap
+import logging
+import pytest
+from lib389 import Entry
+from lib389._constants import *
+from lib389.properties import *
+from lib389.tasks import *
+from lib389.utils import *
+from lib389.topologies import topology_st as topo
+
+DEBUGGING = os.getenv("DEBUGGING", default=False)
+if DEBUGGING:
+ logging.getLogger(__name__).setLevel(logging.DEBUG)
+else:
+ logging.getLogger(__name__).setLevel(logging.INFO)
+log = logging.getLogger(__name__)
+
+USER_DN = 'uid=user,dc=example,dc=com'
+
+
+def test_ticket49039(topo):
+ """Test "password must change" verses "password min age". Min age should not
+ block password update if the password was reset.
+ """
+
+ # Configure password policy
+ try:
+ topo.standalone.modify_s("cn=config", [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', 'on'),
+ (ldap.MOD_REPLACE, 'passwordMustChange', 'on'),
+ (ldap.MOD_REPLACE, 'passwordExp', 'on'),
+ (ldap.MOD_REPLACE, 'passwordMaxAge', '86400000'),
+ (ldap.MOD_REPLACE, 'passwordMinAge', '8640000'),
+ (ldap.MOD_REPLACE, 'passwordChange', 'on')])
+ except ldap.LDAPError as e:
+ log.fatal('Failed to set password policy: ' + str(e))
+
+ # Add user, bind, and set password
+ try:
+ topo.standalone.add_s(Entry((USER_DN, {
+ 'objectclass': 'top extensibleObject'.split(),
+ 'uid': 'user1',
+ 'userpassword': PASSWORD
+ })))
+ except ldap.LDAPError as e:
+ log.fatal('Failed to add user: error ' + e.message['desc'])
+ assert False
+
+ # Reset password as RootDN
+ try:
+ topo.standalone.modify_s(USER_DN, [(ldap.MOD_REPLACE, 'userpassword', PASSWORD)])
+ except ldap.LDAPError as e:
+ log.fatal('Failed to bind: error ' + e.message['desc'])
+ assert False
+
+ time.sleep(1)
+
+ # Reset password as user
+ try:
+ topo.standalone.simple_bind_s(USER_DN, PASSWORD)
+ except ldap.LDAPError as e:
+ log.fatal('Failed to bind: error ' + e.message['desc'])
+ assert False
+
+ try:
+ topo.standalone.modify_s(USER_DN, [(ldap.MOD_REPLACE, 'userpassword', PASSWORD)])
+ except ldap.LDAPError as e:
+ log.fatal('Failed to change password: error ' + e.message['desc'])
+ assert False
+
+ log.info('Test Passed')
+
+
+if __name__ == '__main__':
+ # Run isolated
+ # -s for DEBUG mode
+ CURRENT_FILE = os.path.realpath(__file__)
+ pytest.main("-s %s" % CURRENT_FILE)
+
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
index 4bef90a..32defae 100644
--- a/ldap/servers/slapd/modify.c
+++ b/ldap/servers/slapd/modify.c
@@ -1326,8 +1326,8 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old
/* check if password is within password minimum age;
error result is sent directly from check_pw_minage */
- if ((internal_op || !pb->pb_conn->c_needpw) &&
- check_pw_minage(pb, &sdn, mod->mod_bvalues) == 1)
+ if (!pb->pb_conn->c_needpw &&
+ check_pw_minage(pb, &sdn, mod->mod_bvalues) == 1)
{
if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS))
{
--
2.9.3

106
SOURCES/0075-Ticket-49401-improve-valueset-sorted-performance-on-.patch → SOURCES/0020-Ticket-49401-improve-valueset-sorted-performance-on-.patch
View file

@ -1,4 +1,4 @@
From 64b9d015523b4ae379ff2d72fc73da173be8a712 Mon Sep 17 00:00:00 2001
From a59b2f4129565dbfa1b63899dd550e9c22b02923 Mon Sep 17 00:00:00 2001
From: Mohammad Nweider <nweiderm@amazon.com>
Date: Wed, 18 Oct 2017 13:02:15 +0000
Subject: [PATCH] Ticket 49401 - improve valueset sorted performance on delete
@ -27,13 +27,13 @@ Review by: wibrown, lkrispen, tbordaz (Thanks nweiderm!)
(cherry picked from commit a43a8efc7907116146b505ac40f18fac71f474b0)
---
ldap/servers/slapd/valueset.c | 171 +++++++++++++++++++++++++-----------------
1 file changed, 102 insertions(+), 69 deletions(-)
1 file changed, 103 insertions(+), 68 deletions(-)
diff --git a/ldap/servers/slapd/valueset.c b/ldap/servers/slapd/valueset.c
index e22bc9c39..ae0a13fdc 100644
index d2c67d2fb..1c1bc150a 100644
--- a/ldap/servers/slapd/valueset.c
+++ b/ldap/servers/slapd/valueset.c
@@ -741,7 +741,10 @@ valueset_array_purge(const Slapi_Attr *a, Slapi_ValueSet *vs, const CSN *csn)
@@ -677,100 +677,136 @@ valueset_array_purge(const Slapi_Attr *a, Slapi_ValueSet *vs, const CSN *csn)
size_t i = 0;
size_t j = 0;
int nextValue = 0;
@ -43,12 +43,16 @@ index e22bc9c39..ae0a13fdc 100644
+ int *sorted2 = NULL;
/* Loop over all the values freeing the old ones. */
for(i = 0; i < vs->num; i++)
@@ -752,91 +755,122 @@ valueset_array_purge(const Slapi_Attr *a, Slapi_ValueSet *vs, const CSN *csn)
- for (i = 0; i < vs->num; i++) {
+ for(i = 0; i < vs->num; i++)
+ {
/* If we have the sorted array, find the va array ref by it. */
if (vs->sorted) {
j = vs->sorted[i];
} else {
j = i;
}
- csnset_purge(&(vs->va[j]->v_csnset),csn);
- csnset_purge(&(vs->va[j]->v_csnset), csn);
- if (vs->va[j]->v_csnset == NULL) {
- slapi_value_free(&vs->va[j]);
- vs->va[j] = NULL;
@ -90,6 +94,14 @@ index e22bc9c39..ae0a13fdc 100644
+ * Now a second va is created with the reduced allocation,
+ *
+ * va2: [ X X X X ] ....
+ *
+ * Now we loop over sorted, skipping -1 that we find. In a new counter we create new sorted
+ * references, and move the values compacting them in the process.
+ * va: [d e a c NULL]
+ * va2: [a x x x]
+ * sorted: [_0 -1 3 0 1]
+ *
+ * Looping a few more times would yield:
*
- * We have an array of values:
- * [ b, a, c, NULL, e, NULL, NULL, d]
@ -98,26 +110,18 @@ index e22bc9c39..ae0a13fdc 100644
- * Were we to iterate over the sorted array, we get refs to the values in
- * some order.
- * The issue is now we must *remove* from both the values *and* the sorted.
+ * Now we loop over sorted, skipping -1 that we find. In a new counter we create new sorted
+ * references, and move the values compacting them in the process.
+ * va: [d e a c NULL]
+ * va2: [a x x x]
+ * sorted: [_0 -1 3 0 1]
+ * va2: [a c x x]
+ * sorted: [_0 _1 3 0 1]
*
- * Previously, we just discarded this, because too hard. Now we try to keep
- * it. The issue is that this is surprisingly hard to actually keep in
- * sync.
+ * Looping a few more times would yield:
+ * va2: [a c d x]
+ * sorted: [_0 _1 _2 0 1]
*
- * We can't just blindly move the values down: That breaks the sorted array
- * and we would need to iterate over the sorted array multiple times to
- * achieve this.
+ * va2: [a c x x]
+ * sorted: [_0 _1 3 0 1]
+ *
+ * va2: [a c d x]
+ * sorted: [_0 _1 _2 0 1]
+ *
+ * va2: [a c d e]
+ * sorted: [_0 _1 _2 _3 1]
+ *
@ -135,8 +139,7 @@ index e22bc9c39..ae0a13fdc 100644
+ }
- j = 0;
- while (nextValue < numValues && j < vs->num)
- {
- while (nextValue < numValues && j < vs->num) {
- /* nextValue is what we are looking at now
- * j tracks along the array getting next elements.
- *
@ -184,25 +187,7 @@ index e22bc9c39..ae0a13fdc 100644
}
- /* We have something! */
- vs->va[nextValue] = vs->va[j];
+ }
+
+ if (vs->sorted) {
+ /* Finally replace the valuearray and adjust num, max */
+ slapi_ch_free((void **)&vs->va);
+ slapi_ch_free((void **)&vs->sorted);
+ vs->va = va2;
+ vs->sorted = sorted2;
+ vs->num = numValues;
+ vs->max = vs->num + 1;
+ } else {
+ vs->num = numValues;
+ }
+
+ for (j = vs->num; j < vs->max; j++) {
vs->va[j] = NULL;
+ if (vs->sorted) {
+ vs->sorted[j] = -1;
+ }
- vs->va[j] = NULL;
}
- nextValue++;
- }
@ -212,30 +197,47 @@ index e22bc9c39..ae0a13fdc 100644
- /* Other parts of DS are lazy. Lets clean our list */
- for (j = vs->num; j < vs->max; j++) {
- vs->va[j] = NULL;
+ } else {
+ slapi_valueset_done(vs);
}
- }
- /* All the values were deleted, we can discard the whole array. */
- if(vs->num == 0) {
- if(vs->sorted) {
- slapi_ch_free ((void **)&vs->sorted);
- }
- slapi_ch_free ((void **)&vs->va);
- if (vs->num == 0) {
if (vs->sorted) {
+ /* Finally replace the valuearray and adjust num, max */
+ slapi_ch_free((void **)&vs->va);
slapi_ch_free((void **)&vs->sorted);
+ vs->va = va2;
+ vs->sorted = sorted2;
+ vs->num = numValues;
+ vs->max = vs->num + 1;
+ } else {
+ vs->num = numValues;
}
- slapi_ch_free((void **)&vs->va);
- vs->va = NULL;
- vs->max = 0;
- } else if (vs->sorted != NULL) {
- /* We still have values! rebuild the sorted array */
- valueset_array_to_sorted(a, vs);
+
+ for (j = vs->num; j < vs->max; j++) {
+ vs->va[j] = NULL;
+ if (vs->sorted) {
+ vs->sorted[j] = -1;
+ }
+ }
+ } else {
+ slapi_valueset_done(vs);
}
+ /* We still have values but not sorted array! rebuild it */
+ if(vs->num > VALUESET_ARRAY_SORT_THRESHOLD && vs->sorted == NULL) {
+ vs->sorted = (int *) slapi_ch_malloc( vs->max* sizeof(int));
valueset_array_to_sorted(a, vs);
}
-
+ valueset_array_to_sorted(a, vs);
+ }
#ifdef DEBUG
PR_ASSERT(vs->num == 0 || (vs->num > 0 && vs->va[0] != NULL));
size_t index = 0;
@@ -847,7 +881,6 @@ valueset_array_purge(const Slapi_Attr *a, Slapi_ValueSet *vs, const CSN *csn)
@@ -781,7 +817,6 @@ valueset_array_purge(const Slapi_Attr *a, Slapi_ValueSet *vs, const CSN *csn)
PR_ASSERT(vs->va[index] == NULL);
}
#endif

10
SOURCES/0076-Ticket-49401-Fix-compiler-incompatible-pointer-types.patch → SOURCES/0021-Ticket-49401-Fix-compiler-incompatible-pointer-types.patch
View file

@ -1,4 +1,4 @@
From 43c73ca572af6a4bdc9b5994a9640f4d4e713cc2 Mon Sep 17 00:00:00 2001
From 308691e03cc6312bde3409b346df3156d34db0fe Mon Sep 17 00:00:00 2001
From: Mohammad Nweider <nweiderm@amazon.com>
Date: Wed, 25 Oct 2017 16:26:54 +0000
Subject: [PATCH] Ticket 49401 - Fix compiler incompatible-pointer-types
@ -19,10 +19,10 @@ Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/ldap/servers/slapd/valueset.c b/ldap/servers/slapd/valueset.c
index ae0a13fdc..8730d9f56 100644
index 1c1bc150a..dc0360738 100644
--- a/ldap/servers/slapd/valueset.c
+++ b/ldap/servers/slapd/valueset.c
@@ -744,7 +744,7 @@ valueset_array_purge(const Slapi_Attr *a, Slapi_ValueSet *vs, const CSN *csn)
@@ -680,7 +680,7 @@ valueset_array_purge(const Slapi_Attr *a, Slapi_ValueSet *vs, const CSN *csn)
int nv = 0;
int numValues = 0;
Slapi_Value **va2 = NULL;
@ -31,7 +31,7 @@ index ae0a13fdc..8730d9f56 100644
/* Loop over all the values freeing the old ones. */
for(i = 0; i < vs->num; i++)
@@ -814,7 +814,7 @@ valueset_array_purge(const Slapi_Attr *a, Slapi_ValueSet *vs, const CSN *csn)
@@ -750,7 +750,7 @@ valueset_array_purge(const Slapi_Attr *a, Slapi_ValueSet *vs, const CSN *csn)
if(vs->sorted) {
/* Let's allocate va2 and sorted2 */
va2 = (Slapi_Value **) slapi_ch_malloc( (numValues + 1) * sizeof(Slapi_Value *));
@ -40,7 +40,7 @@ index ae0a13fdc..8730d9f56 100644
}
/* I is the index for the *new* va2 array */
@@ -868,7 +868,7 @@ valueset_array_purge(const Slapi_Attr *a, Slapi_ValueSet *vs, const CSN *csn)
@@ -804,7 +804,7 @@ valueset_array_purge(const Slapi_Attr *a, Slapi_ValueSet *vs, const CSN *csn)
/* We still have values but not sorted array! rebuild it */
if(vs->num > VALUESET_ARRAY_SORT_THRESHOLD && vs->sorted == NULL) {

110
SOURCES/0021-fix-for-cve-2017-2668-simple-return-text-if-suffix-n.patch
View file

@ -1,110 +0,0 @@
From ea60248d99abb8fed9f7a2b1ab7325c5523b8562 Mon Sep 17 00:00:00 2001
From: Ludwig Krispenz <lkrispen@redhat.com>
Date: Mon, 3 Apr 2017 09:32:20 +0200
Subject: [PATCH] fix for cve 2017-2668 - simple return text if suffix not
found
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1436575
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
---
ldap/servers/slapd/defbackend.c | 75 ++---------------------------------------
1 file changed, 2 insertions(+), 73 deletions(-)
diff --git a/ldap/servers/slapd/defbackend.c b/ldap/servers/slapd/defbackend.c
index 6fd74a3..6cd2c04 100644
--- a/ldap/servers/slapd/defbackend.c
+++ b/ldap/servers/slapd/defbackend.c
@@ -166,50 +166,7 @@ defbackend_abandon( Slapi_PBlock *pb )
}
-#define DEFBE_NO_SUCH_SUFFIX "No such suffix"
-/*
- * Generate a "No such suffix" return text
- * Example:
- * cn=X,dc=bogus,dc=com ==> "No such suffix (dc=bogus,dc=com)"
- * if the last rdn starts with "dc=", print all last dc= rdn's.
- * cn=X,cn=bogus ==> "No such suffix (cn=bogus)"
- * otherwise, print the very last rdn.
- * cn=X,z=bogus ==> "No such suffix (x=bogus)"
- * it is true even if it is an invalid rdn.
- * cn=X,bogus ==> "No such suffix (bogus)"
- * another example of invalid rdn.
- */
-static void
-_defbackend_gen_returntext(char *buffer, size_t buflen, char **dns)
-{
- int dnidx;
- int sidx;
- struct suffix_repeat {
- char *suffix;
- int size;
- } candidates[] = {
- {"dc=", 3}, /* dc could be repeated. otherwise the last rdn is used. */
- {NULL, 0}
- };
- PR_snprintf(buffer, buflen, "%s (", DEFBE_NO_SUCH_SUFFIX);
- for (dnidx = 0; dns[dnidx]; dnidx++) ; /* finding the last */
- dnidx--; /* last rdn */
- for (sidx = 0; candidates[sidx].suffix; sidx++) {
- if (!PL_strncasecmp(dns[dnidx], candidates[sidx].suffix, candidates[sidx].size)) {
- while (!PL_strncasecmp(dns[--dnidx], candidates[sidx].suffix, candidates[sidx].size)) ;
- PL_strcat(buffer, dns[++dnidx]); /* the first "dn=", e.g. */
- for (++dnidx; dns[dnidx]; dnidx++) {
- PL_strcat(buffer, ",");
- PL_strcat(buffer, dns[dnidx]);
- }
- PL_strcat(buffer, ")");
- return; /* finished the task */
- }
- }
- PL_strcat(buffer, dns[dnidx]);
- PL_strcat(buffer, ")");
- return;
-}
+#define DEFBE_NO_SUCH_SUFFIX "No suffix for bind dn found"
static int
defbackend_bind( Slapi_PBlock *pb )
@@ -231,36 +188,8 @@ defbackend_bind( Slapi_PBlock *pb )
slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsAnonymousBinds);
rc = SLAPI_BIND_ANONYMOUS;
} else {
- Slapi_DN *sdn = NULL;
- char *suffix = NULL;
- char **dns = NULL;
-
- if (pb->pb_op) {
- sdn = operation_get_target_spec(pb->pb_op);
- if (sdn) {
- dns = slapi_ldap_explode_dn(slapi_sdn_get_dn(sdn), 0);
- if (dns) {
- size_t dnlen = slapi_sdn_get_ndn_len(sdn);
- size_t len = dnlen + sizeof(DEFBE_NO_SUCH_SUFFIX) + 4;
- suffix = slapi_ch_malloc(len);
- if (dnlen) {
- _defbackend_gen_returntext(suffix, len, dns);
- } else {
- PR_snprintf(suffix, len, "%s", DEFBE_NO_SUCH_SUFFIX);
- }
- }
- }
- }
- if (suffix) {
- slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, suffix);
- } else {
- slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, DEFBE_NO_SUCH_SUFFIX);
- }
+ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, DEFBE_NO_SUCH_SUFFIX);
send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, "", 0, NULL);
- if (dns) {
- slapi_ldap_value_free(dns);
- }
- slapi_ch_free_string(&suffix);
rc = SLAPI_BIND_FAIL;
}
--
2.9.3

63
SOURCES/0022-Issue-47662-CLI-args-get-removed.patch
View file

@ -1,63 +0,0 @@
From 3937047eee31638df068b3294aa90ef603915676 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 10 Apr 2017 14:55:55 -0400
Subject: [PATCH] Issue 47662 - CLI args get removed
Bug Description. Regression from previous fix. The process to check unknown
CLI options blows away the built-in arg list "$@"
Fix Description: Make a copy of $@, and use it as needed.
https://pagure.io/389-ds-base/issue/47662
Reviewed by: nhosoi(Thanks!)
---
ldap/admin/src/scripts/db2ldif.in | 3 ++-
ldap/admin/src/scripts/ldif2db.in | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/ldap/admin/src/scripts/db2ldif.in b/ldap/admin/src/scripts/db2ldif.in
index 85854b3..08f30e4 100755
--- a/ldap/admin/src/scripts/db2ldif.in
+++ b/ldap/admin/src/scripts/db2ldif.in
@@ -130,6 +130,7 @@ do
esac
done
+ARGS=$@
shift $(($OPTIND - 1))
if [ $1 ]
then
@@ -156,7 +157,7 @@ fi
servid=`normalize_server_id $initfile`
. $initfile
-ldif_file=`make_ldiffile $@`
+ldif_file=`make_ldiffile $ARGS`
rn=$?
echo "Exported ldif file: $ldif_file"
diff --git a/ldap/admin/src/scripts/ldif2db.in b/ldap/admin/src/scripts/ldif2db.in
index f968303..20c7d46 100755
--- a/ldap/admin/src/scripts/ldif2db.in
+++ b/ldap/admin/src/scripts/ldif2db.in
@@ -87,6 +87,7 @@ then
exit 1
fi
+ARGS=$@
shift $(($OPTIND - 1))
if [ $1 ]
then
@@ -106,7 +107,7 @@ fi
. $initfile
-handleopts $@
+handleopts $ARGS
quiet=$?
if [ $quiet -eq 0 ]; then
echo importing data ...
--
2.9.3

10
SOURCES/0074-Ticket-48894-harden-valueset_array_to_sorted_quick-v.patch → SOURCES/0022-Ticket-48894-harden-valueset_array_to_sorted_quick-v.patch
View file

@ -1,4 +1,4 @@
From 91c80c06affa3f4bfe106d2291efc360ab2b421d Mon Sep 17 00:00:00 2001
From dba89dd23d2d62686de192e0986eba65270a62c7 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Thu, 26 Oct 2017 10:03:39 -0400
Subject: [PATCH] Ticket 48894 - harden valueset_array_to_sorted_quick valueset
@ -17,19 +17,19 @@ Reviewed by: nweiderm (Thanks!)
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ldap/servers/slapd/valueset.c b/ldap/servers/slapd/valueset.c
index 8a824ac4a..e22bc9c39 100644
index dc0360738..14ebc48e6 100644
--- a/ldap/servers/slapd/valueset.c
+++ b/ldap/servers/slapd/valueset.c
@@ -1054,11 +1054,11 @@ valueset_array_to_sorted_quick (const Slapi_Attr *a, Slapi_ValueSet *vs, size_t
@@ -1019,11 +1019,11 @@ valueset_array_to_sorted_quick(const Slapi_Attr *a, Slapi_ValueSet *vs, size_t l
while (1) {
do {
i++;
- } while ( valueset_value_cmp(a, vs->va[vs->sorted[i]], vs->va[pivot]) < 0);
- } while (valueset_value_cmp(a, vs->va[vs->sorted[i]], vs->va[pivot]) < 0);
+ } while (i < vs->max && valueset_value_cmp(a, vs->va[vs->sorted[i]], vs->va[pivot]) < 0);
do {
j--;
- } while ( valueset_value_cmp(a, vs->va[vs->sorted[j]], vs->va[pivot]) > 0);
- } while (valueset_value_cmp(a, vs->va[vs->sorted[j]], vs->va[pivot]) > 0);
+ } while (valueset_value_cmp(a, vs->va[vs->sorted[j]], vs->va[pivot]) > 0 && j > 0);
if (i >= j) {

141
SOURCES/0023-Issue-49210-Fix-regression-when-checking-is-password.patch
View file

@ -1,141 +0,0 @@
From 5854fc41c6620567f0356e382baec4eda1e645b2 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Wed, 5 Apr 2017 11:05:28 -0400
Subject: [PATCH] Issue 49210 - Fix regression when checking is password min
age should be checked
Bug Description: If a plugin makes an internal modification of userpassword
the connection structure in the pblock is null, and it was
being dereferenced.
Fix Description: These internal operations do not need to have the password
policy checks done. They are intended to be unrestricted.
So we only need to check password policy on client connections.
The fix frist hecks if the connection structy is present,
only then it continues.
Revised test script to include the tool: ldappasswd
https://pagure.io/389-ds-base/issue/49210
Reviewed by: firstyear(Thanks!)
---
dirsrvtests/tests/tickets/ticket49039_test.py | 62 +++++++++++++++++++++++++++
ldap/servers/slapd/modify.c | 2 +-
2 files changed, 63 insertions(+), 1 deletion(-)
diff --git a/dirsrvtests/tests/tickets/ticket49039_test.py b/dirsrvtests/tests/tickets/ticket49039_test.py
index e6d4c03..f0b224c 100644
--- a/dirsrvtests/tests/tickets/ticket49039_test.py
+++ b/dirsrvtests/tests/tickets/ticket49039_test.py
@@ -2,6 +2,7 @@ import time
import ldap
import logging
import pytest
+import os
from lib389 import Entry
from lib389._constants import *
from lib389.properties import *
@@ -9,6 +10,7 @@ from lib389.tasks import *
from lib389.utils import *
from lib389.topologies import topology_st as topo
+
DEBUGGING = os.getenv("DEBUGGING", default=False)
if DEBUGGING:
logging.getLogger(__name__).setLevel(logging.DEBUG)
@@ -19,11 +21,39 @@ log = logging.getLogger(__name__)
USER_DN = 'uid=user,dc=example,dc=com'
+def ssl_init(topo):
+ """ Setup TLS
+ """
+ topo.standalone.stop()
+ # Prepare SSL but don't enable it.
+ for f in ('key3.db', 'cert8.db', 'key4.db', 'cert9.db', 'secmod.db', 'pkcs11.txt'):
+ try:
+ os.remove("%s/%s" % (topo.standalone.confdir, f))
+ except:
+ pass
+ assert(topo.standalone.nss_ssl.reinit() is True)
+ assert(topo.standalone.nss_ssl.create_rsa_ca() is True)
+ assert(topo.standalone.nss_ssl.create_rsa_key_and_cert() is True)
+ # Start again
+ topo.standalone.start()
+ topo.standalone.rsa.create()
+ topo.standalone.config.set('nsslapd-ssl-check-hostname', 'off')
+ topo.standalone.config.set('nsslapd-secureport', '%s' %
+ SECUREPORT_STANDALONE1)
+ topo.standalone.config.set('nsslapd-security', 'on')
+ topo.standalone.restart()
+
+ log.info("SSL setup complete\n")
+
+
def test_ticket49039(topo):
"""Test "password must change" verses "password min age". Min age should not
block password update if the password was reset.
"""
+ # Setup SSL (for ldappasswd test)
+ ssl_init(topo)
+
# Configure password policy
try:
topo.standalone.modify_s("cn=config", [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', 'on'),
@@ -68,6 +98,38 @@ def test_ticket49039(topo):
log.fatal('Failed to change password: error ' + e.message['desc'])
assert False
+ ###################################
+ # Make sure ldappasswd also works
+ ###################################
+
+ # Reset password as RootDN
+ try:
+ topo.standalone.simple_bind_s(DN_DM, PASSWORD)
+ except ldap.LDAPError as e:
+ log.fatal('Failed to bind as rootdn: error ' + e.message['desc'])
+ assert False
+
+ try:
+ topo.standalone.modify_s(USER_DN, [(ldap.MOD_REPLACE, 'userpassword', PASSWORD)])
+ except ldap.LDAPError as e:
+ log.fatal('Failed to bind: error ' + e.message['desc'])
+ assert False
+
+ time.sleep(1)
+
+ # Run ldappasswd as the User.
+ cmd = ('LDAPTLS_REQCERT=never LDAPTLS_CACERTDIR=' + topo.standalone.get_cert_dir() +
+ ' ldappasswd' + ' -h ' + topo.standalone.host + ' -Z -p 38901 -D ' + USER_DN +
+ ' -w password -a password -s password2 ' + USER_DN)
+ os.system(cmd)
+ time.sleep(1)
+
+ try:
+ topo.standalone.simple_bind_s(USER_DN, "password2")
+ except ldap.LDAPError as e:
+ log.fatal('Failed to bind: error ' + e.message['desc'])
+ assert False
+
log.info('Test Passed')
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
index 32defae..e23fe67 100644
--- a/ldap/servers/slapd/modify.c
+++ b/ldap/servers/slapd/modify.c
@@ -1326,7 +1326,7 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old
/* check if password is within password minimum age;
error result is sent directly from check_pw_minage */
- if (!pb->pb_conn->c_needpw &&
+ if (pb->pb_conn && !pb->pb_conn->c_needpw &&
check_pw_minage(pb, &sdn, mod->mod_bvalues) == 1)
{
if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS))
--
2.9.3

176
SOURCES/0023-Ticket-49424-Resolve-csiphash-alignment-issues.patch Normal file
View file

@ -0,0 +1,176 @@
From 5909e20899334816f36cac0e47105e56df52ad3c Mon Sep 17 00:00:00 2001
From: William Brown <firstyear@redhat.com>
Date: Mon, 30 Oct 2017 12:01:34 +1000
Subject: [PATCH] Ticket 49424 - Resolve csiphash alignment issues
Bug Description: On some platforms, uint64_t is not the same size
as a void * - as well, if the input is not aligned correctly, then
a number of nasty crashes can result
Fix Description: Instead of relying on alignment to be correct,
we should memcpy the data to inputs instead.
https://pagure.io/389-ds-base/issue/49424
Author: wibrown
Review by: lslebodn, cgrzemba, vashirov, mreynolds (Thanks!)
(cherry picked from commit 751446440f5269a246e6e652a64e63aa5933734a)
---
src/libsds/external/csiphash/csiphash.c | 52 +++++++++++++++++++--------------
src/libsds/test/test_sds_csiphash.c | 43 +++++++++++++++++++++------
2 files changed, 64 insertions(+), 31 deletions(-)
diff --git a/src/libsds/external/csiphash/csiphash.c b/src/libsds/external/csiphash/csiphash.c
index 0089c82f7..2351db6cf 100644
--- a/src/libsds/external/csiphash/csiphash.c
+++ b/src/libsds/external/csiphash/csiphash.c
@@ -32,6 +32,9 @@
#include <inttypes.h>
#include <stddef.h> /* for size_t */
+#include <stdlib.h> /* calloc,free */
+#include <string.h> /* memcpy */
+
#include <config.h>
#if defined(HAVE_SYS_ENDIAN_H)
@@ -75,11 +78,24 @@
uint64_t
sds_siphash13(const void *src, size_t src_sz, const char key[16])
{
- const uint64_t *_key = (uint64_t *)key;
+ uint64_t _key[2] = {0};
+ memcpy(_key, key, 16);
uint64_t k0 = _le64toh(_key[0]);
uint64_t k1 = _le64toh(_key[1]);
uint64_t b = (uint64_t)src_sz << 56;
- const uint64_t *in = (uint64_t *)src;
+
+ size_t input_sz = (src_sz / sizeof(uint64_t)) + 1;
+
+ /* Account for non-uint64_t alligned input */
+ /* Could make this stack allocation */
+ uint64_t *in = calloc(1, input_sz * sizeof(uint64_t));
+ /*
+ * Because all crypto code sucks, they modify *in
+ * during operation, so we stash a copy of the ptr here.
+ * alternately, we could use stack allocated array, but gcc
+ * will complain about the vla being unbounded.
+ */
+ uint64_t *in_ptr = memcpy(in, src, src_sz);
uint64_t v0 = k0 ^ 0x736f6d6570736575ULL;
uint64_t v1 = k1 ^ 0x646f72616e646f6dULL;
@@ -96,27 +112,15 @@ sds_siphash13(const void *src, size_t src_sz, const char key[16])
v0 ^= mi;
}
+ /*
+ * Because we allocate in as size + 1, we can over-read 0
+ * for this buffer to be padded correctly. in here is a pointer to the
+ * excess data because the while loop above increments the in pointer
+ * to point to the excess once src_sz drops < 8.
+ */
uint64_t t = 0;
- uint8_t *pt = (uint8_t *)&t;
- uint8_t *m = (uint8_t *)in;
-
- switch (src_sz) {
- case 7:
- pt[6] = m[6]; /* FALLTHRU */
- case 6:
- pt[5] = m[5]; /* FALLTHRU */
- case 5:
- pt[4] = m[4]; /* FALLTHRU */
- case 4:
- *((uint32_t *)&pt[0]) = *((uint32_t *)&m[0]);
- break;
- case 3:
- pt[2] = m[2]; /* FALLTHRU */
- case 2:
- pt[1] = m[1]; /* FALLTHRU */
- case 1:
- pt[0] = m[0]; /* FALLTHRU */
- }
+ memcpy(&t, in, sizeof(uint64_t));
+
b |= _le64toh(t);
v3 ^= b;
@@ -126,5 +130,9 @@ sds_siphash13(const void *src, size_t src_sz, const char key[16])
v2 ^= 0xff;
// dround
dROUND(v0, v1, v2, v3);
+
+ free(in_ptr);
+
return (v0 ^ v1) ^ (v2 ^ v3);
}
+
diff --git a/src/libsds/test/test_sds_csiphash.c b/src/libsds/test/test_sds_csiphash.c
index cdb6b7f46..cc9a6b2b5 100644
--- a/src/libsds/test/test_sds_csiphash.c
+++ b/src/libsds/test/test_sds_csiphash.c
@@ -25,23 +25,48 @@
static void
test_siphash(void **state __attribute__((unused)))
{
-
- //
uint64_t value = 0;
uint64_t hashout = 0;
char key[16] = {0};
- uint64_t test_a = 15794382300316794652U;
- uint64_t test_b = 13042610424265326907U;
+ uint64_t test_simple = 15794382300316794652U;
- // Initial simple test
+ /* Initial simple test */
value = htole64(5);
hashout = sds_siphash13(&value, sizeof(uint64_t), key);
- assert_true(hashout == test_a);
+ assert_int_equal(hashout, test_simple);
+
+ /* Test a range of input sizes to check endianness behaviour */
+
+ hashout = sds_siphash13("a", 1, key);
+ assert_int_equal(hashout, 0x407448d2b89b1813U);
+
+ hashout = sds_siphash13("aa", 2, key);
+ assert_int_equal(hashout, 0x7910e0436ed8d1deU);
+
+ hashout = sds_siphash13("aaa", 3, key);
+ assert_int_equal(hashout, 0xf752893a6c769652U);
+
+ hashout = sds_siphash13("aaaa", 4, key);
+ assert_int_equal(hashout, 0x8b02350718d87164U);
+
+ hashout = sds_siphash13("aaaaa", 5, key);
+ assert_int_equal(hashout, 0x92a991474c7eef2U);
+
+ hashout = sds_siphash13("aaaaaa", 6, key);
+ assert_int_equal(hashout, 0xf0ab815a640277ccU);
+
+ hashout = sds_siphash13("aaaaaaa", 7, key);
+ assert_int_equal(hashout, 0x33f3c6d7dbc82c0dU);
+
+ hashout = sds_siphash13("aaaaaaaa", 8, key);
+ assert_int_equal(hashout, 0xc501b12e18428c92U);
+
+ hashout = sds_siphash13("aaaaaaaabbbb", 12, key);
+ assert_int_equal(hashout, 0xcddca673069ade64U);
- char *test = "abc";
- hashout = sds_siphash13(test, 4, key);
- assert_true(hashout == test_b);
+ hashout = sds_siphash13("aaaaaaaabbbbbbbb", 16, key);
+ assert_int_equal(hashout, 0xdc54f0bfc0e1deb0U);
}
int
--
2.13.6

42
SOURCES/0024-Ticket-49209-Hang-due-to-omitted-replica-lock-releas.patch
View file

@ -1,42 +0,0 @@
From 765520fa7bf49f2de542d619b0fce99e13e4d53a Mon Sep 17 00:00:00 2001
From: Thierry Bordaz <tbordaz@redhat.com>
Date: Tue, 4 Apr 2017 10:44:55 +0200
Subject: [PATCH] Ticket 49209 - Hang due to omitted replica lock release
Bug Description:
When an operation is canceled (failure), its csn is aborted
and removed from the pending list.
If at that time the pending list is empty or the csn is not found
in that list, the cancel callback forgots to release the replica lock
Fix Description:
Release replica lock systematically, whether cnsplRemove fails or not
https://pagure.io/389-ds-base/issue/49209
Reviewed by: Mark Reynolds (thanks Mark !!)
Platforms tested: F23
Flag Day: no
Doc impact: no
---
ldap/servers/plugins/replication/repl5_replica.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c
index 7beef50..5718a98 100644
--- a/ldap/servers/plugins/replication/repl5_replica.c
+++ b/ldap/servers/plugins/replication/repl5_replica.c
@@ -3662,6 +3662,7 @@ abort_csn_callback(const CSN *csn, void *data)
int rc = csnplRemove(r->min_csn_pl, csn);
if (rc) {
slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "abort_csn_callback - csnplRemove failed");
+ replica_unlock(r->repl_lock);
return;
}
}
--
2.9.3

258
SOURCES/0024-Ticket-49436-double-free-in-COS-in-some-conditions.patch Normal file
View file

@ -0,0 +1,258 @@
From dcf75750dff23e848cde2ae63a0778b123de6dd7 Mon Sep 17 00:00:00 2001
From: William Brown <firstyear@redhat.com>
Date: Thu, 2 Nov 2017 13:32:41 +1000
Subject: [PATCH] Ticket 49436 - double free in COS in some conditions
Bug Description: virtualattrs and COS have some serious memory
ownership issues. What was happening is that COS with multiple
attributes using the same sp_handle would cause a structure
to be registered twice. During shutdown we would then trigger
a double free in the process.
Fix Description: Change the behaviour of sp_handles to use a
handle *per* attribute we register to guarantee the assocation
between them.
https://pagure.io/389-ds-base/issue/49436
Author: wibrown
Review by: mreynolds, vashirov (Thanks!)
(cherry pick from commit ee4428a3f5d2d8e37a7107c7dce9d622fc17d41c)
---
dirsrvtests/tests/suites/cos/indirect_cos_test.py | 43 +++++++----------------
ldap/servers/plugins/cos/cos_cache.c | 32 +++++++++--------
ldap/servers/plugins/roles/roles_cache.c | 8 ++---
ldap/servers/slapd/vattr.c | 28 +++++++++------
4 files changed, 51 insertions(+), 60 deletions(-)
diff --git a/dirsrvtests/tests/suites/cos/indirect_cos_test.py b/dirsrvtests/tests/suites/cos/indirect_cos_test.py
index 1aac6b8ed..452edcdf8 100644
--- a/dirsrvtests/tests/suites/cos/indirect_cos_test.py
+++ b/dirsrvtests/tests/suites/cos/indirect_cos_test.py
@@ -7,6 +7,7 @@ import subprocess
from lib389 import Entry
from lib389.idm.user import UserAccounts
+from lib389.idm.domain import Domain
from lib389.topologies import topology_st as topo
from lib389._constants import (DEFAULT_SUFFIX, DN_DM, PASSWORD, HOST_STANDALONE,
SERVERID_STANDALONE, PORT_STANDALONE)
@@ -48,14 +49,8 @@ def check_user(inst):
def setup_subtree_policy(topo):
"""Set up subtree password policy
"""
- try:
- topo.standalone.modify_s("cn=config", [(ldap.MOD_REPLACE,
- 'nsslapd-pwpolicy-local',
- 'on')])
- except ldap.LDAPError as e:
- log.error('Failed to set fine-grained policy: error {}'.format(
- e.message['desc']))
- raise e
+
+ topo.standalone.config.set('nsslapd-pwpolicy-local', 'on')
log.info('Create password policy for subtree {}'.format(OU_PEOPLE))
try:
@@ -68,15 +63,9 @@ def setup_subtree_policy(topo):
OU_PEOPLE, e.message['desc']))
raise e
- log.info('Add pwdpolicysubentry attribute to {}'.format(OU_PEOPLE))
- try:
- topo.standalone.modify_s(DEFAULT_SUFFIX, [(ldap.MOD_REPLACE,
- 'pwdpolicysubentry',
- PW_POLICY_CONT_PEOPLE2)])
- except ldap.LDAPError as e:
- log.error('Failed to pwdpolicysubentry pw policy '
- 'policy for {}: error {}'.format(OU_PEOPLE, e.message['desc']))
- raise e
+ domain = Domain(topo.standalone, DEFAULT_SUFFIX)
+ domain.replace('pwdpolicysubentry', PW_POLICY_CONT_PEOPLE2)
+
time.sleep(1)
@@ -116,12 +105,9 @@ def setup(topo, request):
"""
log.info('Add custom schema...')
try:
- ATTR_1 = ("( 1.3.6.1.4.1.409.389.2.189 NAME 'x-department' " +
- "SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )")
- ATTR_2 = ("( 1.3.6.1.4.1.409.389.2.187 NAME 'x-en-ou' " +
- "SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )")
- OC = ("( xPerson-oid NAME 'xPerson' DESC '' SUP person STRUCTURAL MAY " +
- "( x-department $ x-en-ou ) X-ORIGIN 'user defined' )")
+ ATTR_1 = (b"( 1.3.6.1.4.1.409.389.2.189 NAME 'x-department' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )")
+ ATTR_2 = (b"( 1.3.6.1.4.1.409.389.2.187 NAME 'x-en-ou' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )")
+ OC = (b"( xPerson-oid NAME 'xPerson' DESC '' SUP person STRUCTURAL MAY ( x-department $ x-en-ou ) X-ORIGIN 'user defined' )")
topo.standalone.modify_s("cn=schema", [(ldap.MOD_ADD, 'attributeTypes', ATTR_1),
(ldap.MOD_ADD, 'attributeTypes', ATTR_2),
(ldap.MOD_ADD, 'objectClasses', OC)])
@@ -142,14 +128,9 @@ def setup(topo, request):
'homeDirectory': '/home/test_user',
'seeAlso': 'cn=cosTemplate,dc=example,dc=com'
}
- users.create(properties=user_properties)
- try:
- topo.standalone.modify_s(TEST_USER_DN, [(ldap.MOD_ADD,
- 'objectclass',
- 'xPerson')])
- except ldap.LDAPError as e:
- log.fatal('Failed to add objectclass to user')
- raise e
+ user = users.create(properties=user_properties)
+
+ user.add('objectClass', 'xPerson')
# Setup COS
log.info("Setup indirect COS...")
diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c
index 9ae15db15..662dace35 100644
--- a/ldap/servers/plugins/cos/cos_cache.c
+++ b/ldap/servers/plugins/cos/cos_cache.c
@@ -109,9 +109,6 @@ void *cos_get_plugin_identity(void);
#define COSTYPE_INDIRECT 3
#define COS_DEF_ERROR_NO_TEMPLATES -2
-/* the global plugin handle */
-static volatile vattr_sp_handle *vattr_handle = NULL;
-
/* both variables are protected by change_lock */
static int cos_cache_notify_flag = 0;
static PRBool cos_cache_at_work = PR_FALSE;
@@ -323,16 +320,6 @@ cos_cache_init(void)
views_api = 0;
}
- if (slapi_vattrspi_register((vattr_sp_handle **)&vattr_handle,
- cos_cache_vattr_get,
- cos_cache_vattr_compare,
- cos_cache_vattr_types) != 0) {
- slapi_log_err(SLAPI_LOG_ERR, COS_PLUGIN_SUBSYSTEM,
- "cos_cache_init - Cannot register as service provider\n");
- ret = -1;
- goto out;
- }
-
if (PR_CreateThread(PR_USER_THREAD,
cos_cache_wait_on_change,
NULL,
@@ -860,8 +847,23 @@ cos_dn_defs_cb(Slapi_Entry *e, void *callback_data)
dnVals[valIndex]->bv_val);
}
- slapi_vattrspi_regattr((vattr_sp_handle *)vattr_handle,
- dnVals[valIndex]->bv_val, NULL, NULL);
+ /*
+ * Each SP_handle is associated to one and only one vattr.
+ * We could consider making this a single function rather
+ * than the double-call.
+ */
+
+ vattr_sp_handle *vattr_handle = NULL;
+
+ if (slapi_vattrspi_register((vattr_sp_handle **)&vattr_handle,
+ cos_cache_vattr_get,
+ cos_cache_vattr_compare,
+ cos_cache_vattr_types) != 0) {
+ slapi_log_err(SLAPI_LOG_ERR, COS_PLUGIN_SUBSYSTEM, "cos_cache_init - Cannot register as service provider for %s\n", dnVals[valIndex]->bv_val);
+ } else {
+ slapi_vattrspi_regattr((vattr_sp_handle *)vattr_handle, dnVals[valIndex]->bv_val, NULL, NULL);
+ }
+
} /* if(attrType is cosAttribute) */
/*
diff --git a/ldap/servers/plugins/roles/roles_cache.c b/ldap/servers/plugins/roles/roles_cache.c
index 59f5a6081..1e5865af8 100644
--- a/ldap/servers/plugins/roles/roles_cache.c
+++ b/ldap/servers/plugins/roles/roles_cache.c
@@ -47,9 +47,6 @@ static char *allUserAttributes[] = {
/* views scoping */
static void **views_api;
-/* Service provider handler */
-static vattr_sp_handle *vattr_handle = NULL;
-
/* List of nested roles */
typedef struct _role_object_nested
{
@@ -224,6 +221,10 @@ roles_cache_init()
so that we update the corresponding cache */
slapi_register_backend_state_change(NULL, roles_cache_trigger_update_suffix);
+ /* Service provider handler - only used once! and freed by vattr! */
+ vattr_sp_handle *vattr_handle = NULL;
+
+
if (slapi_vattrspi_register((vattr_sp_handle **)&vattr_handle,
roles_sp_get_value,
roles_sp_compare_value,
@@ -622,7 +623,6 @@ roles_cache_stop()
current_role = next_role;
}
slapi_rwlock_unlock(global_lock);
- slapi_ch_free((void **)&vattr_handle);
roles_list = NULL;
slapi_log_err(SLAPI_LOG_PLUGIN, ROLES_PLUGIN_SUBSYSTEM, "<-- roles_cache_stop\n");
diff --git a/ldap/servers/slapd/vattr.c b/ldap/servers/slapd/vattr.c
index 82deb41fe..432946c79 100644
--- a/ldap/servers/slapd/vattr.c
+++ b/ldap/servers/slapd/vattr.c
@@ -1864,7 +1864,12 @@ vattr_map_create(void)
void
vattr_map_entry_free(vattr_map_entry *vae)
{
- slapi_ch_free((void **)&(vae->sp_list));
+ vattr_sp_handle *list_entry = vae->sp_list;
+ while (list_entry != NULL) {
+ vattr_sp_handle *next_entry = list_entry->next;
+ slapi_ch_free((void **)&list_entry);
+ list_entry = next_entry;
+ }
slapi_ch_free_string(&(vae->type_name));
slapi_ch_free((void **)&vae);
}
@@ -2143,16 +2148,9 @@ slapi_vattr_schema_check_type(Slapi_Entry *e, char *type)
vattr_map_entry *
vattr_map_entry_new(char *type_name, vattr_sp_handle *sph, void *hint)
{
- vattr_map_entry *result = NULL;
- vattr_sp_handle *sp_copy = NULL;
-
- sp_copy = (vattr_sp_handle *)slapi_ch_calloc(1, sizeof(vattr_sp_handle));
- sp_copy->sp = sph->sp;
- sp_copy->hint = hint;
-
- result = (vattr_map_entry *)slapi_ch_calloc(1, sizeof(vattr_map_entry));
+ vattr_map_entry *result = (vattr_map_entry *)slapi_ch_calloc(1, sizeof(vattr_map_entry));
result->type_name = slapi_ch_strdup(type_name);
- result->sp_list = sp_copy;
+ result->sp_list = sph;
/* go get schema */
result->objectclasses = vattr_map_entry_build_schema(type_name);
@@ -2273,6 +2271,16 @@ we'd need to hold a lock on the read path, which we don't want to do.
So any SP which relinquishes its need to handle a type needs to continue
to handle the calls on it, but return nothing */
/* DBDB need to sort out memory ownership here, it's not quite right */
+/*
+ * This function was inconsistent. We would allocated and "kind of",
+ * copy the sp_handle here for the vattr_map_entry_new path. But we
+ * would "take ownership" for the existing entry and the list addition
+ * path. Instead now, EVERY sp_handle we take, we take ownership of
+ * and the CALLER must allocate a new one each time.
+ *
+ * Better idea, is that regattr should just take the fn pointers
+ * and callers never *see* the sp_handle structure at all.
+ */
int
vattr_map_sp_insert(char *type_to_add, vattr_sp_handle *sp, void *hint)
--
2.13.6

1719
SOURCES/0025-Ticket-48393-Improve-replication-config-validation.patch Normal file
View file

File diff suppressed because it is too large Load diff

299
SOURCES/0025-Ticket-49184-Overflow-in-memberof.patch
View file

@ -1,299 +0,0 @@
From 710b0a6aaf1c648bc8fd33d4ab5bcc859a0ed851 Mon Sep 17 00:00:00 2001
From: Thierry Bordaz <tbordaz@redhat.com>
Date: Thu, 13 Apr 2017 15:21:49 +0200
Subject: [PATCH] Ticket 49184 - Overflow in memberof
Bug Description:
The function memberof_call_foreach_dn can be used to retrieve ancestors of a
given entry. (ancestors are groups owning directly or indirectly a given entry).
With the use of group cache in memberof, at the entrance of memberof_call_foreach_dn
there is an attempt to get the entry ancestors from the cache.
Before doing so it needs to test if the cache is safe. In fact in case of
circular groups the use of the cache is disabled and lookup in the cache should not
happend.
To know if the cache is safe it needs to access a flag (use_cache) in callback_data.
The callback_data structure is opaque at this level. So accessing it
while its structure is unknown is dangerous.
The bug is that we may read an 'int' at an offset that overflow the actual structure.
This is just a test and should not trigger a crash.
Fix Description:
Add a flag to call memberof_call_foreach_dn so that, that indicates if
it is valid to use the group cache.
https://pagure.io/389-ds-base/issue/49184
Reviewed by: William Brown and Mark Reynolds (thanks to you !!)
Platforms tested: F23
Flag Day: no
Doc impact: no
---
dirsrvtests/tests/tickets/ticket49184_test.py | 146 ++++++++++++++++++++++++++
ldap/servers/plugins/memberof/memberof.c | 38 ++++---
2 files changed, 167 insertions(+), 17 deletions(-)
create mode 100644 dirsrvtests/tests/tickets/ticket49184_test.py
diff --git a/dirsrvtests/tests/tickets/ticket49184_test.py b/dirsrvtests/tests/tickets/ticket49184_test.py
new file mode 100644
index 0000000..20edfde
--- /dev/null
+++ b/dirsrvtests/tests/tickets/ticket49184_test.py
@@ -0,0 +1,146 @@
+import time
+import ldap
+import logging
+import pytest
+from lib389 import DirSrv, Entry, tools, tasks
+from lib389.tools import DirSrvTools
+from lib389._constants import *
+from lib389.properties import *
+from lib389.tasks import *
+from lib389.utils import *
+from lib389.topologies import topology_st as topo
+
+DEBUGGING = os.getenv("DEBUGGING", default=False)
+GROUP_DN_1 = ("cn=group1," + DEFAULT_SUFFIX)
+GROUP_DN_2 = ("cn=group2," + DEFAULT_SUFFIX)
+SUPER_GRP1 = ("cn=super_grp1," + DEFAULT_SUFFIX)
+SUPER_GRP2 = ("cn=super_grp2," + DEFAULT_SUFFIX)
+SUPER_GRP3 = ("cn=super_grp3," + DEFAULT_SUFFIX)
+
+if DEBUGGING:
+ logging.getLogger(__name__).setLevel(logging.DEBUG)
+else:
+ logging.getLogger(__name__).setLevel(logging.INFO)
+log = logging.getLogger(__name__)
+
+def _add_group_with_members(topo, group_dn):
+ # Create group
+ try:
+ topo.standalone.add_s(Entry((group_dn,
+ {'objectclass': 'top groupofnames extensibleObject'.split(),
+ 'cn': 'group'})))
+ except ldap.LDAPError as e:
+ log.fatal('Failed to add group: error ' + e.message['desc'])
+ assert False
+
+ # Add members to the group - set timeout
+ log.info('Adding members to the group...')
+ for idx in range(1, 5):
+ try:
+ MEMBER_VAL = ("uid=member%d,%s" % (idx, DEFAULT_SUFFIX))
+ topo.standalone.modify_s(group_dn,
+ [(ldap.MOD_ADD,
+ 'member',
+ MEMBER_VAL)])
+ except ldap.LDAPError as e:
+ log.fatal('Failed to update group: member (%s) - error: %s' %
+ (MEMBER_VAL, e.message['desc']))
+ assert False
+
+def _check_memberof(topo, member=None, memberof=True, group_dn=None):
+ # Check that members have memberof attribute on M1
+ for idx in range(1, 5):
+ try:
+ USER_DN = ("uid=member%d,%s" % (idx, DEFAULT_SUFFIX))
+ ent = topo.standalone.getEntry(USER_DN, ldap.SCOPE_BASE, "(objectclass=*)")
+ if presence_flag:
+ assert ent.hasAttr('memberof') and ent.getValue('memberof') == group_dn
+ else:
+ assert not ent.hasAttr('memberof')
+ except ldap.LDAPError as e:
+ log.fatal('Failed to retrieve user (%s): error %s' % (USER_DN, e.message['desc']))
+ assert False
+
+def _check_memberof(topo, member=None, memberof=True, group_dn=None):
+ ent = topo.standalone.getEntry(member, ldap.SCOPE_BASE, "(objectclass=*)")
+ if memberof:
+ assert group_dn
+ assert ent.hasAttr('memberof') and group_dn in ent.getValues('memberof')
+ else:
+ if ent.hasAttr('memberof'):
+ assert group_dn not in ent.getValues('memberof')
+
+
+def test_ticket49184(topo):
+ """Write your testcase here...
+
+ Also, if you need any testcase initialization,
+ please, write additional fixture for that(include finalizer).
+ """
+
+ topo.standalone.plugins.enable(name=PLUGIN_MEMBER_OF)
+ topo.standalone.restart(timeout=10)
+
+ #
+ # create some users and a group
+ #
+ log.info('create users and group...')
+ for idx in range(1, 5):
+ try:
+ USER_DN = ("uid=member%d,%s" % (idx, DEFAULT_SUFFIX))
+ topo.standalone.add_s(Entry((USER_DN,
+ {'objectclass': 'top extensibleObject'.split(),
+ 'uid': 'member%d' % (idx)})))
+ except ldap.LDAPError as e:
+ log.fatal('Failed to add user (%s): error %s' % (USER_DN, e.message['desc']))
+ assert False
+
+ # add all users in GROUP_DN_1 and checks each users is memberof GROUP_DN_1
+ _add_group_with_members(topo, GROUP_DN_1)
+ for idx in range(1, 5):
+ USER_DN = ("uid=member%d,%s" % (idx, DEFAULT_SUFFIX))
+ _check_memberof(topo, member=USER_DN, memberof=True, group_dn=GROUP_DN_1 )
+
+ # add all users in GROUP_DN_2 and checks each users is memberof GROUP_DN_2
+ _add_group_with_members(topo, GROUP_DN_2)
+ for idx in range(1, 5):
+ USER_DN = ("uid=member%d,%s" % (idx, DEFAULT_SUFFIX))
+ _check_memberof(topo, member=USER_DN, memberof=True, group_dn=GROUP_DN_2 )
+
+ # add the level 2, 3 and 4 group
+ for super_grp in (SUPER_GRP1, SUPER_GRP2, SUPER_GRP3):
+ topo.standalone.add_s(Entry((super_grp,
+ {'objectclass': 'top groupofnames extensibleObject'.split(),
+ 'cn': 'super_grp'})))
+ topo.standalone.modify_s(SUPER_GRP1,
+ [(ldap.MOD_ADD,
+ 'member',
+ GROUP_DN_1),
+ (ldap.MOD_ADD,
+ 'member',
+ GROUP_DN_2)])
+ topo.standalone.modify_s(SUPER_GRP2,
+ [(ldap.MOD_ADD,
+ 'member',
+ GROUP_DN_1),
+ (ldap.MOD_ADD,
+ 'member',
+ GROUP_DN_2)])
+ return
+ topo.standalone.delete_s(GROUP_DN_2)
+ for idx in range(1, 5):
+ USER_DN = ("uid=member%d,%s" % (idx, DEFAULT_SUFFIX))
+ _check_memberof(topo, member=USER_DN, memberof=True, group_dn=GROUP_DN_1 )
+ _check_memberof(topo, member=USER_DN, memberof=False, group_dn=GROUP_DN_2 )
+
+ if DEBUGGING:
+ # Add debugging steps(if any)...
+ pass
+
+
+if __name__ == '__main__':
+ # Run isolated
+ # -s for DEBUG mode
+ CURRENT_FILE = os.path.realpath(__file__)
+ pytest.main("-s %s" % CURRENT_FILE)
+
diff --git a/ldap/servers/plugins/memberof/memberof.c b/ldap/servers/plugins/memberof/memberof.c
index 81ef092..5cd2c01 100644
--- a/ldap/servers/plugins/memberof/memberof.c
+++ b/ldap/servers/plugins/memberof/memberof.c
@@ -159,7 +159,7 @@ static int memberof_qsort_compare(const void *a, const void *b);
static void memberof_load_array(Slapi_Value **array, Slapi_Attr *attr);
static int memberof_del_dn_from_groups(Slapi_PBlock *pb, MemberOfConfig *config, Slapi_DN *sdn);
static int memberof_call_foreach_dn(Slapi_PBlock *pb, Slapi_DN *sdn, MemberOfConfig *config,
- char **types, plugin_search_entry_callback callback, void *callback_data, int *cached);
+ char **types, plugin_search_entry_callback callback, void *callback_data, int *cached, PRBool use_grp_cache);
static int memberof_is_direct_member(MemberOfConfig *config, Slapi_Value *groupdn,
Slapi_Value *memberdn);
static int memberof_is_grouping_attr(char *type, MemberOfConfig *config);
@@ -659,7 +659,7 @@ memberof_del_dn_from_groups(Slapi_PBlock *pb, MemberOfConfig *config, Slapi_DN *
slapi_log_err(SLAPI_LOG_PLUGIN, MEMBEROF_PLUGIN_SUBSYSTEM, "memberof_del_dn_from_groups: Ancestors of %s\n", slapi_sdn_get_dn(sdn));
rc = memberof_call_foreach_dn(pb, sdn, config, groupattrs,
- memberof_del_dn_type_callback, &data, &cached);
+ memberof_del_dn_type_callback, &data, &cached, PR_FALSE);
}
return rc;
@@ -776,8 +776,8 @@ add_ancestors_cbdata(memberof_cached_value *ancestors, void *callback_data)
* could want type to be either "member" or "memberOf" depending on the case.
*/
int
-memberof_call_foreach_dn(Slapi_PBlock *pb, Slapi_DN *sdn,
- MemberOfConfig *config, char **types, plugin_search_entry_callback callback, void *callback_data, int *cached)
+memberof_call_foreach_dn(Slapi_PBlock *pb __attribute__((unused)), Slapi_DN *sdn,
+ MemberOfConfig *config, char **types, plugin_search_entry_callback callback, void *callback_data, int *cached, PRBool use_grp_cache)
{
Slapi_PBlock *search_pb = NULL;
Slapi_DN *base_sdn = NULL;
@@ -792,9 +792,6 @@ memberof_call_foreach_dn(Slapi_PBlock *pb, Slapi_DN *sdn,
int free_it = 0;
int rc = 0;
int i = 0;
- memberof_cached_value *ht_grp = NULL;
- memberof_get_groups_data *data = (memberof_get_groups_data*) callback_data;
- const char *ndn = slapi_sdn_get_ndn(sdn);
*cached = 0;
@@ -802,17 +799,24 @@ memberof_call_foreach_dn(Slapi_PBlock *pb, Slapi_DN *sdn,
return (rc);
}
- /* Here we will retrieve the ancestor of sdn.
- * The key access is the normalized sdn
- * This is done through recursive internal searches of parents
- * If the ancestors of sdn are already cached, just use
- * this value
+ /* This flags indicates memberof_call_foreach_dn is called to retrieve ancestors (groups).
+ * To improve performance, it can use a cache. (it will not in case of circular groups)
+ * When this flag is true it means no circular group are detected (so far) so we can use the cache
*/
- if (data && data->use_cache) {
+ if (use_grp_cache) {
+ /* Here we will retrieve the ancestor of sdn.
+ * The key access is the normalized sdn
+ * This is done through recursive internal searches of parents
+ * If the ancestors of sdn are already cached, just use
+ * this value
+ */
+ memberof_cached_value *ht_grp = NULL;
+ const char *ndn = slapi_sdn_get_ndn(sdn);
+
ht_grp = ancestors_cache_lookup((const void *) ndn);
if (ht_grp) {
#if MEMBEROF_CACHE_DEBUG
- slapi_log_err(SLAPI_LOG_PLUGIN, MEMBEROF_PLUGIN_SUBSYSTEM, "memberof_call_foreach_dn: Ancestors of %s already cached (%x)\n", ndn, ht_grp);
+ slapi_log_err(SLAPI_LOG_PLUGIN, MEMBEROF_PLUGIN_SUBSYSTEM, "memberof_call_foreach_dn: Ancestors of %s already cached (%x)\n", ndn, ht_grp);
#endif
add_ancestors_cbdata(ht_grp, callback_data);
*cached = 1;
@@ -1106,7 +1110,7 @@ memberof_replace_dn_from_groups(Slapi_PBlock *pb, MemberOfConfig *config,
slapi_log_err(SLAPI_LOG_PLUGIN, MEMBEROF_PLUGIN_SUBSYSTEM, "memberof_replace_dn_from_groups: Ancestors of %s\n", slapi_sdn_get_dn(post_sdn));
if((ret = memberof_call_foreach_dn(pb, pre_sdn, config, groupattrs,
memberof_replace_dn_type_callback,
- &data, &cached)))
+ &data, &cached, PR_FALSE)))
{
break;
}
@@ -2383,7 +2387,7 @@ memberof_get_groups_r(MemberOfConfig *config, Slapi_DN *member_sdn,
slapi_log_err(SLAPI_LOG_PLUGIN, MEMBEROF_PLUGIN_SUBSYSTEM, "memberof_get_groups_r: Ancestors of %s\n", slapi_sdn_get_dn(member_sdn));
#endif
rc = memberof_call_foreach_dn(NULL, member_sdn, config, config->groupattrs,
- memberof_get_groups_callback, &member_data, &cached);
+ memberof_get_groups_callback, &member_data, &cached, member_data.use_cache);
merge_ancestors(&member_ndn_val, &member_data, data);
if (!cached && member_data.use_cache)
@@ -2578,7 +2582,7 @@ memberof_test_membership(Slapi_PBlock *pb, MemberOfConfig *config,
int cached = 0;
return memberof_call_foreach_dn(pb, group_sdn, config, attrs,
- memberof_test_membership_callback, config, &cached);
+ memberof_test_membership_callback, config, &cached, PR_FALSE);
}
/*
--
2.9.3

42
SOURCES/0026-Ticket-49196-Autotune-generates-crit-messages.patch
View file

@ -1,42 +0,0 @@
From 8a0b4643e1119e994370089fd52721373e88bb51 Mon Sep 17 00:00:00 2001
From: William Brown <firstyear@redhat.com>
Date: Wed, 29 Mar 2017 10:59:14 +1000
Subject: [PATCH] Ticket 49196 - Autotune generates crit messages
Bug Description: The cache sanity check generates critical messages.
Fix Description: Make the sanity check generate warning messages.
https://pagure.io/389-ds-base/issue/49196
Author: wibrown
Review by: mreynolds (Thanks!)
---
ldap/servers/slapd/back-ldbm/start.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/ldap/servers/slapd/back-ldbm/start.c b/ldap/servers/slapd/back-ldbm/start.c
index 759af8a..1ae9858 100644
--- a/ldap/servers/slapd/back-ldbm/start.c
+++ b/ldap/servers/slapd/back-ldbm/start.c
@@ -265,12 +265,12 @@ ldbm_back_start_autotune(struct ldbminfo *li) {
issane = util_is_cachesize_sane(&total_cache_size);
if (!issane) {
/* Right, it's time to panic */
- slapi_log_err(SLAPI_LOG_CRIT, "ldbm_back_start", "It is highly likely your memory configuration of all backends will EXCEED your systems memory.\n");
- slapi_log_err(SLAPI_LOG_CRIT, "ldbm_back_start", "In a future release this WILL prevent server start up. You MUST alter your configuration.\n");
- slapi_log_err(SLAPI_LOG_CRIT, "ldbm_back_start", "Total entry cache size: %lu B; dbcache size: %lu B; available memory size: %lu B; \n",
+ slapi_log_err(SLAPI_LOG_WARNING, "ldbm_back_start", "It is highly likely your memory configuration of all backends will EXCEED your systems memory.\n");
+ slapi_log_err(SLAPI_LOG_WARNING, "ldbm_back_start", "In a future release this WILL prevent server start up. You MUST alter your configuration.\n");
+ slapi_log_err(SLAPI_LOG_WARNING, "ldbm_back_start", "Total entry cache size: %lu B; dbcache size: %lu B; available memory size: %lu B; \n",
(PRUint64)total_cache_size, (PRUint64)li->li_dbcachesize, availpages * pagesize
);
- slapi_log_err(SLAPI_LOG_CRIT, "ldbm_back_start", "%s\n", msg);
+ slapi_log_err(SLAPI_LOG_WARNING, "ldbm_back_start", "%s\n", msg);
/* WB 2016 - This should be UNCOMMENTED in a future release */
/* return SLAPI_FAIL_GENERAL; */
}
--
2.9.3

169
SOURCES/0026-Ticket-49439-cleanallruv-is-not-logging-information.patch Normal file
View file

@ -0,0 +1,169 @@
From 403c5b61efb5aca3cbea31170d13dfba190ef355 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Thu, 2 Nov 2017 12:55:11 -0400
Subject: [PATCH] Ticket 49439 - cleanallruv is not logging information
Bug Description: During the logging refector effro from ticket 48978
a mistake was made and cleanruv_log() was using
LOG_NOTICE (which is not a true log level), it was
supposed to be SLAPI_LOG_NOTICE.
We also use DEBUG defines to contorl the logging for
debug builds
Fix Description: Remove the LDAP_DEBUG defines in cleanruv_log, and set
the correct logging severity level.
https://pagure.io/389-ds-base/issue/49439
Reviewed by: firstyear(Thanks!)
(cherry picked from commit e1f866a5e3ccce8e061e361c0e3dd11175a8acf2)
---
.../plugins/replication/repl5_replica_config.c | 30 ++++++++++------------
1 file changed, 14 insertions(+), 16 deletions(-)
diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c
index 9c3c75458..9c8d6adbb 100644
--- a/ldap/servers/plugins/replication/repl5_replica_config.c
+++ b/ldap/servers/plugins/replication/repl5_replica_config.c
@@ -1783,7 +1783,7 @@ replica_cleanallruv_thread(void *arg)
/*
* need to sleep between passes
*/
- cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, LOG_NOTICE, "Not all replicas have received the "
+ cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE, "Not all replicas have received the "
"cleanallruv extended op, retrying in %d seconds",
interval);
if (!slapi_is_shutting_down()) {
@@ -1825,7 +1825,7 @@ replica_cleanallruv_thread(void *arg)
found_dirty_rid = 0;
} else {
found_dirty_rid = 1;
- cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, LOG_NOTICE, "Replica is not cleaned yet (%s)",
+ cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE, "Replica is not cleaned yet (%s)",
agmt_get_long_name(agmt));
break;
}
@@ -1843,7 +1843,7 @@ replica_cleanallruv_thread(void *arg)
* Need to sleep between passes unless we are shutting down
*/
if (!slapi_is_shutting_down()) {
- cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, LOG_NOTICE, "Replicas have not been cleaned yet, "
+ cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE, "Replicas have not been cleaned yet, "
"retrying in %d seconds",
interval);
PR_Lock(notify_lock);
@@ -1883,10 +1883,10 @@ done:
* Shutdown or abort
*/
if (!is_task_aborted(data->rid) || slapi_is_shutting_down()) {
- cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, LOG_NOTICE,
+ cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE,
"Server shutting down. Process will resume at server startup");
} else {
- cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, LOG_NOTICE, "Task aborted for rid(%d).", data->rid);
+ cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE, "Task aborted for rid(%d).", data->rid);
delete_cleaned_rid_config(data);
remove_cleaned_rid(data->rid);
}
@@ -2053,7 +2053,7 @@ check_replicas_are_done_cleaning(cleanruv_data *data)
break;
}
- cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, LOG_NOTICE,
+ cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE,
"Not all replicas finished cleaning, retrying in %d seconds",
interval);
if (!slapi_is_shutting_down()) {
@@ -2163,7 +2163,7 @@ check_replicas_are_done_aborting(cleanruv_data *data)
if (not_all_aborted == 0) {
break;
}
- cleanruv_log(data->task, data->rid, ABORT_CLEANALLRUV_ID, LOG_NOTICE,
+ cleanruv_log(data->task, data->rid, ABORT_CLEANALLRUV_ID, SLAPI_LOG_NOTICE,
"Not all replicas finished aborting, retrying in %d seconds", interval);
if (!slapi_is_shutting_down()) {
PR_Lock(notify_lock);
@@ -2210,7 +2210,7 @@ check_agmts_are_caught_up(cleanruv_data *data, char *maxcsn)
not_all_caughtup = 0;
} else {
not_all_caughtup = 1;
- cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, LOG_NOTICE,
+ cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE,
"Replica not caught up (%s)", agmt_get_long_name(agmt));
break;
}
@@ -2220,7 +2220,7 @@ check_agmts_are_caught_up(cleanruv_data *data, char *maxcsn)
if (not_all_caughtup == 0 || is_task_aborted(data->rid)) {
break;
}
- cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, LOG_NOTICE,
+ cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE,
"Not all replicas caught up, retrying in %d seconds", interval);
if (!slapi_is_shutting_down()) {
PR_Lock(notify_lock);
@@ -2270,7 +2270,7 @@ check_agmts_are_alive(Replica *replica, ReplicaId rid, Slapi_Task *task)
not_all_alive = 0;
} else {
not_all_alive = 1;
- cleanruv_log(task, rid, CLEANALLRUV_ID, LOG_NOTICE, "Replica not online (%s)",
+ cleanruv_log(task, rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE, "Replica not online (%s)",
agmt_get_long_name(agmt));
break;
}
@@ -2280,7 +2280,7 @@ check_agmts_are_alive(Replica *replica, ReplicaId rid, Slapi_Task *task)
if (not_all_alive == 0 || is_task_aborted(rid)) {
break;
}
- cleanruv_log(task, rid, CLEANALLRUV_ID, LOG_NOTICE, "Not all replicas online, retrying in %d seconds...",
+ cleanruv_log(task, rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE, "Not all replicas online, retrying in %d seconds...",
interval);
if (!slapi_is_shutting_down()) {
@@ -3063,7 +3063,7 @@ replica_abort_task_thread(void *arg)
* Need to sleep between passes. unless we are shutting down
*/
if (!slapi_is_shutting_down()) {
- cleanruv_log(data->task, data->rid, ABORT_CLEANALLRUV_ID, LOG_NOTICE, "Retrying in %d seconds", interval);
+ cleanruv_log(data->task, data->rid, ABORT_CLEANALLRUV_ID, SLAPI_LOG_NOTICE, "Retrying in %d seconds", interval);
PR_Lock(notify_lock);
PR_WaitCondVar(notify_cvar, PR_SecondsToInterval(interval));
PR_Unlock(notify_lock);
@@ -3184,7 +3184,7 @@ replica_cleanallruv_send_extop(Repl_Agmt *ra, cleanruv_data *clean_data, int che
/* extop was accepted */
rc = 0;
} else {
- cleanruv_log(clean_data->task, clean_data->rid, CLEANALLRUV_ID, LOG_NOTICE,
+ cleanruv_log(clean_data->task, clean_data->rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE,
"Replica %s does not support the CLEANALLRUV task. "
"Sending replica CLEANRUV task...",
slapi_sdn_get_dn(agmt_get_dn_byref(ra)));
@@ -3352,7 +3352,7 @@ replica_cleanallruv_check_maxcsn(Repl_Agmt *agmt, char *basedn, char *rid_text,
csn_init_by_string(repl_max, remote_maxcsn);
if (csn_compare(repl_max, max) < 0) {
/* we are not caught up yet, free, and return */
- cleanruv_log(task, atoi(rid_text), CLEANALLRUV_ID, LOG_NOTICE,
+ cleanruv_log(task, atoi(rid_text), CLEANALLRUV_ID, SLAPI_LOG_NOTICE,
"Replica maxcsn (%s) is not caught up with deleted replica's maxcsn(%s)",
remote_maxcsn, maxcsn);
rc = -1;
@@ -3525,7 +3525,6 @@ stop_ruv_cleaning()
void
cleanruv_log(Slapi_Task *task, int rid, char *task_type, int sev_level, char *fmt, ...)
{
-#ifdef LDAP_DEBUG
va_list ap1;
va_list ap2;
va_list ap3;
@@ -3550,7 +3549,6 @@ cleanruv_log(Slapi_Task *task, int rid, char *task_type, int sev_level, char *fm
va_end(ap2);
va_end(ap3);
va_end(ap4);
-#endif
}
char *
--
2.13.6

36
SOURCES/0027-Issue-49221-During-an-upgrade-the-provided-localhost.patch
View file

@ -1,36 +0,0 @@
From 4e66114109263fff6b13192e07be9bbd9e493fee Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 17 Apr 2017 17:06:19 -0400
Subject: [PATCH 1/2] Issue 49221 - During an upgrade the provided localhost
name is ignored
Description: If the FullMachine name, or localhost, is provided in an INF
it is ignored during the upgrade the value of nsslapd-localhost
from the current server is used instead. We should only override
the localhost value if it is missing.
https://pagure.io/389-ds-base/issue/49221
Reviewed by: nhosoi(Thanks!)
---
ldap/admin/src/scripts/DSUpdate.pm.in | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/ldap/admin/src/scripts/DSUpdate.pm.in b/ldap/admin/src/scripts/DSUpdate.pm.in
index e84a9a9..8b24b47 100644
--- a/ldap/admin/src/scripts/DSUpdate.pm.in
+++ b/ldap/admin/src/scripts/DSUpdate.pm.in
@@ -435,7 +435,9 @@ sub initInfFromInst {
my $servid = $inst;
$servid =~ s/slapd-//;
- $inf->{General}->{FullMachineName} = $entry->getValue("nsslapd-localhost");
+ if (!$inf->{General}->{FullMachineName}) {
+ $inf->{General}->{FullMachineName} = $entry->getValue("nsslapd-localhost");
+ }
$inf->{General}->{SuiteSpotUserID} = $entry->getValue("nsslapd-localuser");
$inf->{slapd}->{ServerPort} = $entry->getValue("nsslapd-port");
$inf->{slapd}->{ldapifilepath} = $entry->getValue("nsslapd-ldapifilepath");
--
2.9.3

32
SOURCES/0027-Ticket-48393-fix-copy-and-paste-error.patch Normal file
View file

@ -0,0 +1,32 @@
From 3d045a240bb32b66e15401bf89eff5b980420b24 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Fri, 3 Nov 2017 12:18:26 -0400
Subject: [PATCH] Ticket 48393 - fix copy and paste error
Description: Copy and paste error when validating repl agmt
https://pagure.io/389-ds-base/issue/48393
Reviewed by: mreynolds(one line commit rule)
(cherry picked from commit 431647039c5e6d860d8866542050d456f69bb600)
---
ldap/servers/plugins/replication/repl5_agmt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ldap/servers/plugins/replication/repl5_agmt.c b/ldap/servers/plugins/replication/repl5_agmt.c
index 78fb91ae6..ee396c8ef 100644
--- a/ldap/servers/plugins/replication/repl5_agmt.c
+++ b/ldap/servers/plugins/replication/repl5_agmt.c
@@ -339,7 +339,7 @@ agmt_new_from_entry(Slapi_Entry *e)
ra->flowControlWindow = DEFAULT_FLOWCONTROL_WINDOW;
if ((val = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaFlowControlWindow))){
int64_t flow;
- if (repl_config_valid_num(type_nsds5ReplicaTimeout, val, 0, INT_MAX, &rc, errormsg, &flow) != 0) {
+ if (repl_config_valid_num(type_nsds5ReplicaFlowControlWindow, val, 0, INT_MAX, &rc, errormsg, &flow) != 0) {
goto loser;
}
slapi_ch_free_string(&val);
--
2.13.6

4106
SOURCES/0028-Ticket-48864-Add-cgroup-memory-limit-detection-to-38.patch
View file

File diff suppressed because it is too large Load diff

57
SOURCES/0028-Ticket-49038-remove-legacy-replication-change-cleanu.patch Normal file
View file

@ -0,0 +1,57 @@
From 2b5b09a7a871d626bb45888f948126732d0893f3 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Wed, 4 Oct 2017 12:55:30 -0400
Subject: [PATCH] Ticket 49038 - remove legacy replication - change cleanup
script precedence
Description: Bump the cleanup scripts precendance so it happens after the
main plugin upgrade scripts are called.
https://pagure.io/389-ds-base/issue/49038
Reviewed by: firstyear(Thanks!)
(cherry picked from commit 1fe2c761103c36090ab67df0271dfdb3012037fb)
---
Makefile.am | 2 +-
...{50removeLegacyReplication.ldif => 60removeLegacyReplication.ldif} | 0
rpm/389-ds-base.spec.in | 4 ++--
3 files changed, 3 insertions(+), 3 deletions(-)
rename ldap/admin/src/scripts/{50removeLegacyReplication.ldif => 60removeLegacyReplication.ldif} (100%)
diff --git a/Makefile.am b/Makefile.am
index 09a6bc296..8834a7819 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -942,7 +942,7 @@ update_DATA = ldap/admin/src/scripts/exampleupdate.pl \
ldap/admin/src/scripts/50telexnumbersyntaxplugin.ldif \
ldap/admin/src/scripts/50guidesyntaxplugin.ldif \
ldap/admin/src/scripts/50targetuniqueid.ldif \
- ldap/admin/src/scripts/50removeLegacyReplication.ldif \
+ ldap/admin/src/scripts/60removeLegacyReplication.ldif \
ldap/admin/src/scripts/50linkedattrsplugin.ldif \
ldap/admin/src/scripts/50usnplugin.ldif \
ldap/admin/src/scripts/50smd5pwdstorageplugin.ldif \
diff --git a/ldap/admin/src/scripts/50removeLegacyReplication.ldif b/ldap/admin/src/scripts/60removeLegacyReplication.ldif
similarity index 100%
rename from ldap/admin/src/scripts/50removeLegacyReplication.ldif
rename to ldap/admin/src/scripts/60removeLegacyReplication.ldif
diff --git a/rpm/389-ds-base.spec.in b/rpm/389-ds-base.spec.in
index 1e5c2cfd3..30a1d7d9a 100644
--- a/rpm/389-ds-base.spec.in
+++ b/rpm/389-ds-base.spec.in
@@ -395,9 +395,9 @@ echo remove pid files . . . >> $output 2>&1 || :
echo upgrading instances . . . >> $output 2>&1 || :
DEBUGPOSTSETUPOPT=`/usr/bin/echo $DEBUGPOSTSETUP | /usr/bin/sed -e "s/[^d]//g"`
if [ -n "$DEBUGPOSTSETUPOPT" ] ; then
- %{_sbindir}/setup-ds.pl -l $output2 -$DEBUGPOSTSETUPOPT -u -s General.UpdateMode=offline >> $output 2>&1 || :
+ %{_sbindir}/setup-ds.pl -$DEBUGPOSTSETUPOPT -u -s General.UpdateMode=offline >> $output 2>&1 || :
else
- %{_sbindir}/setup-ds.pl -l $output2 -u -s General.UpdateMode=offline >> $output 2>&1 || :
+ %{_sbindir}/setup-ds.pl -u -s General.UpdateMode=offline >> $output 2>&1 || :
fi
# restart instances that require it
--
2.13.6

296
SOURCES/0029-Ticket-49204-Fix-lower-bounds-on-import-autosize-On-.patch
View file

@ -1,296 +0,0 @@
From 9be74e83539e204e9a56721da5c22bd9abf38195 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Wed, 19 Apr 2017 13:41:22 -0400
Subject: [PATCH] Ticket 49204 - Fix lower bounds on import autosize + On small
VM, autotune breaks the access of the suffixes
Bug Description:
ldif2db in some cases may set a cache of 0, which may y break imports.
Under memory pressure, the amount of available memory at startup
can be so low that the configured cachememsize will be rejected
(unwilling to perform).
This should leave the cachememsize being "0" (default)
This conduct to be unable to access the suffix pages.
Fix Description:
* autosize set an incorrect percentage which was too high.
* we did not check the lower bound of the allocation
so we now set that we must have a minimum allocation.
* Set entrycache to a minimal value, even if it looks insane
* add a cap on reduction of caches, so we always allocate a few pages
at least, and prevent returning 0 to the caller.
https://pagure.io/389-ds-base/issue/49204
Author: wibrown, tbordaz
Review by: tbordaz (Thanks mate, great work with this :) )
---
ldap/servers/slapd/back-ldbm/cache.c | 4 +--
ldap/servers/slapd/back-ldbm/dblayer.c | 33 +++++++++++++---------
ldap/servers/slapd/back-ldbm/dblayer.h | 12 ++++----
ldap/servers/slapd/back-ldbm/ldbm_config.c | 4 +--
.../servers/slapd/back-ldbm/ldbm_instance_config.c | 23 +++++++++++++--
ldap/servers/slapd/slapi-private.h | 2 +-
ldap/servers/slapd/util.c | 20 +++++++++----
7 files changed, 65 insertions(+), 33 deletions(-)
diff --git a/ldap/servers/slapd/back-ldbm/cache.c b/ldap/servers/slapd/back-ldbm/cache.c
index 0f0cf3b..c6638a2 100644
--- a/ldap/servers/slapd/back-ldbm/cache.c
+++ b/ldap/servers/slapd/back-ldbm/cache.c
@@ -65,7 +65,7 @@
/* static functions */
static void entrycache_clear_int(struct cache *cache);
-static void entrycache_set_max_size(struct cache *cache, size_t bytes);
+static void entrycache_set_max_size(struct cache *cache, uint64_t bytes);
static int entrycache_remove_int(struct cache *cache, struct backentry *e);
static void entrycache_return(struct cache *cache, struct backentry **bep);
static int entrycache_replace(struct cache *cache, struct backentry *olde, struct backentry *newe);
@@ -77,7 +77,7 @@ static void entry_lru_verify(struct cache *cache, struct backentry *e, int in);
static int dn_same_id(const void *bdn, const void *k);
static void dncache_clear_int(struct cache *cache);
-static void dncache_set_max_size(struct cache *cache, size_t bytes);
+static void dncache_set_max_size(struct cache *cache, uint64_t bytes);
static int dncache_remove_int(struct cache *cache, struct backdn *dn);
static void dncache_return(struct cache *cache, struct backdn **bdn);
static int dncache_replace(struct cache *cache, struct backdn *olddn, struct backdn *newdn);
diff --git a/ldap/servers/slapd/back-ldbm/dblayer.c b/ldap/servers/slapd/back-ldbm/dblayer.c
index 3c1fbb0..f834322 100644
--- a/ldap/servers/slapd/back-ldbm/dblayer.c
+++ b/ldap/servers/slapd/back-ldbm/dblayer.c
@@ -1237,8 +1237,8 @@ no_diskspace(struct ldbminfo *li, int dbenv_flags)
struct statvfs db_buf;
int using_region_files = !(dbenv_flags & ( DB_PRIVATE | DB_SYSTEM_MEM));
/* value of 10 == 10% == little more than the average overhead calculated for very large files on 64-bit system for bdb 4.7 */
- PRUint64 expected_siz = li->li_dbcachesize + li->li_dbcachesize/10; /* dbcache + region files */
- PRUint64 fsiz;
+ uint64_t expected_siz = li->li_dbcachesize + li->li_dbcachesize/10; /* dbcache + region files */
+ uint64_t fsiz;
char *region_dir;
if (statvfs(li->li_directory, &db_buf) < 0){
@@ -1263,7 +1263,7 @@ no_diskspace(struct ldbminfo *li, int dbenv_flags)
li->li_dblayer_private->dblayer_dbhome_directory);
return 1;
}
- fsiz = ((PRUint64)dbhome_buf.f_bavail) * ((PRUint64)dbhome_buf.f_bsize);
+ fsiz = ((uint64_t)dbhome_buf.f_bavail) * ((uint64_t)dbhome_buf.f_bsize);
region_dir = li->li_dblayer_private->dblayer_dbhome_directory;
} else {
/* Shared/private memory. No need to check disk space, return success */
@@ -1387,12 +1387,17 @@ dblayer_start(struct ldbminfo *li, int dbmode)
/* Sanity check on cache size on platforms which allow us to figure out
* the available phys mem */
slapi_pal_meminfo *mi = spal_meminfo_get();
- if (!util_is_cachesize_sane(mi, &(priv->dblayer_cachesize))) {
+ util_cachesize_result result = util_is_cachesize_sane(mi, &(priv->dblayer_cachesize));
+ if (result == UTIL_CACHESIZE_ERROR) {
+ slapi_log_err(SLAPI_LOG_CRIT, "dblayer_start", "Unable to determine if cachesize was valid!!!");
+ } else if (result == UTIL_CACHESIZE_REDUCED) {
+ /* In some cases we saw this go to 0, prevent this. */
+ if (priv->dblayer_cachesize < MINCACHESIZE) {
+ priv->dblayer_cachesize = MINCACHESIZE;
+ }
/* Oops---looks like the admin misconfigured, let's warn them */
- slapi_log_err(SLAPI_LOG_WARNING,"dblayer_start", "Likely CONFIGURATION ERROR -"
- "dbcachesize is configured to use more than the available "
- "physical memory, decreased to the largest available size (%"PRIu64" bytes).\n",
- priv->dblayer_cachesize);
+ slapi_log_err(SLAPI_LOG_WARNING, "dblayer_start", "Likely CONFIGURATION ERROR - dbcachesize is configured to use more than the available "
+ "memory, decreased to (%"PRIu64" bytes).\n", priv->dblayer_cachesize);
li->li_dbcachesize = priv->dblayer_cachesize;
}
spal_meminfo_destroy(mi);
@@ -3816,7 +3821,7 @@ static const u_int32_t default_flags = DB_NEXT;
typedef struct txn_test_iter {
DB *db;
DBC *cur;
- size_t cnt;
+ uint64_t cnt;
const char *attr;
u_int32_t flags;
backend *be;
@@ -3938,10 +3943,10 @@ static int txn_test_threadmain(void *param)
Object *inst_obj;
int rc = 0;
txn_test_iter **ttilist = NULL;
- size_t tticnt = 0;
+ uint64_t tticnt = 0;
DB_TXN *txn = NULL;
txn_test_cfg cfg = {0};
- size_t counter = 0;
+ uint64_t counter = 0;
char keybuf[8192];
char databuf[8192];
int dbattempts = 0;
@@ -4062,9 +4067,9 @@ retry_txn:
if (!rc) {
DBT key;
DBT data;
- size_t ii;
- size_t donecnt = 0;
- size_t cnt = 0;
+ uint64_t ii;
+ uint64_t donecnt = 0;
+ uint64_t cnt = 0;
/* phase 1 - open a cursor to each db */
if (cfg.verbose) {
diff --git a/ldap/servers/slapd/back-ldbm/dblayer.h b/ldap/servers/slapd/back-ldbm/dblayer.h
index 816c943..77b04fa 100644
--- a/ldap/servers/slapd/back-ldbm/dblayer.h
+++ b/ldap/servers/slapd/back-ldbm/dblayer.h
@@ -90,8 +90,8 @@ struct dblayer_private
int dblayer_ncache;
int dblayer_previous_ncache;
int dblayer_tx_max;
- size_t dblayer_cachesize;
- size_t dblayer_previous_cachesize; /* Cache size when we last shut down--
+ uint64_t dblayer_cachesize;
+ uint64_t dblayer_previous_cachesize; /* Cache size when we last shut down--
* used to determine if we delete
* the mpool */
int dblayer_recovery_required;
@@ -102,15 +102,15 @@ struct dblayer_private
int dblayer_durable_transactions;
int dblayer_checkpoint_interval;
int dblayer_circular_logging;
- size_t dblayer_page_size; /* db page size if configured,
+ uint64_t dblayer_page_size; /* db page size if configured,
* otherwise default to DBLAYER_PAGESIZE */
- size_t dblayer_index_page_size; /* db index page size if configured,
+ uint64_t dblayer_index_page_size; /* db index page size if configured,
* otherwise default to
* DBLAYER_INDEX_PAGESIZE */
int dblayer_idl_divisor; /* divide page size by this to get IDL
* size */
- size_t dblayer_logfile_size; /* How large can one logfile be ? */
- size_t dblayer_logbuf_size; /* how large log buffer can be */
+ uint64_t dblayer_logfile_size; /* How large can one logfile be ? */
+ uint64_t dblayer_logbuf_size; /* how large log buffer can be */
int dblayer_file_mode; /* pmode for files we create */
int dblayer_verbose; /* Get libdb to exhale debugging info */
int dblayer_debug; /* Will libdb emit debugging info into
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_config.c b/ldap/servers/slapd/back-ldbm/ldbm_config.c
index d5120d3..401cd60 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_config.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_config.c
@@ -1582,9 +1582,9 @@ static config_info ldbm_config[] = {
{CONFIG_DB_DEBUG_CHECKPOINTING, CONFIG_TYPE_ONOFF, "off", &ldbm_config_db_debug_checkpointing_get, &ldbm_config_db_debug_checkpointing_set, 0},
{CONFIG_DB_HOME_DIRECTORY, CONFIG_TYPE_STRING, "", &ldbm_config_db_home_directory_get, &ldbm_config_db_home_directory_set, 0},
{CONFIG_IMPORT_CACHE_AUTOSIZE, CONFIG_TYPE_INT, "-1", &ldbm_config_import_cache_autosize_get, &ldbm_config_import_cache_autosize_set, CONFIG_FLAG_ALWAYS_SHOW|CONFIG_FLAG_ALLOW_RUNNING_CHANGE},
- {CONFIG_CACHE_AUTOSIZE, CONFIG_TYPE_INT, "0", &ldbm_config_cache_autosize_get, &ldbm_config_cache_autosize_set, 0},
+ {CONFIG_CACHE_AUTOSIZE, CONFIG_TYPE_INT, "10", &ldbm_config_cache_autosize_get, &ldbm_config_cache_autosize_set, 0},
{CONFIG_CACHE_AUTOSIZE_SPLIT, CONFIG_TYPE_INT, "40", &ldbm_config_cache_autosize_split_get, &ldbm_config_cache_autosize_split_set, 0},
- {CONFIG_IMPORT_CACHESIZE, CONFIG_TYPE_SIZE_T, "20000000", &ldbm_config_import_cachesize_get, &ldbm_config_import_cachesize_set, CONFIG_FLAG_ALWAYS_SHOW|CONFIG_FLAG_ALLOW_RUNNING_CHANGE},
+ {CONFIG_IMPORT_CACHESIZE, CONFIG_TYPE_SIZE_T, "16777216", &ldbm_config_import_cachesize_get, &ldbm_config_import_cachesize_set, CONFIG_FLAG_ALWAYS_SHOW|CONFIG_FLAG_ALLOW_RUNNING_CHANGE},
{CONFIG_IDL_SWITCH, CONFIG_TYPE_STRING, "new", &ldbm_config_idl_get_idl_new, &ldbm_config_idl_set_tune, CONFIG_FLAG_ALWAYS_SHOW},
{CONFIG_IDL_UPDATE, CONFIG_TYPE_ONOFF, "on", &ldbm_config_idl_get_update, &ldbm_config_idl_set_update, 0},
{CONFIG_BYPASS_FILTER_TEST, CONFIG_TYPE_STRING, "on", &ldbm_config_get_bypass_filter_test, &ldbm_config_set_bypass_filter_test, CONFIG_FLAG_ALWAYS_SHOW|CONFIG_FLAG_ALLOW_RUNNING_CHANGE},
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c b/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c
index 62cdbc3..36d830d 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c
@@ -93,6 +93,7 @@ ldbm_instance_config_cachememsize_set(void *arg, void *value, char *errorbuf, in
int retval = LDAP_SUCCESS;
size_t val = (size_t) value;
uint64_t delta = 0;
+ uint64_t delta_original = 0;
/* Do whatever we can to make sure the data is ok. */
/* There is an error here. We check the new val against our current mem-alloc
@@ -108,18 +109,34 @@ ldbm_instance_config_cachememsize_set(void *arg, void *value, char *errorbuf, in
if (apply) {
if (val > inst->inst_cache.c_maxsize) {
delta = val - inst->inst_cache.c_maxsize;
+ delta_original = delta;
util_cachesize_result sane;
slapi_pal_meminfo *mi = spal_meminfo_get();
sane = util_is_cachesize_sane(mi, &delta);
spal_meminfo_destroy(mi);
- if (sane != UTIL_CACHESIZE_VALID){
- slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "Error: cachememsize value is too large.");
- slapi_log_err(SLAPI_LOG_ERR, "ldbm_instance_config_cachememsize_set", "cachememsize value is too large.\n");
+ if (sane == UTIL_CACHESIZE_ERROR){
+ slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "Error: unable to determine system memory limits.");
+ slapi_log_err(SLAPI_LOG_ERR, "ldbm_instance_config_cachememsize_set", "Enable to determine system memory limits.\n");
return LDAP_UNWILLING_TO_PERFORM;
+ } else if (sane == UTIL_CACHESIZE_REDUCED) {
+ slapi_log_err(SLAPI_LOG_WARNING, "ldbm_instance_config_cachememsize_set", "delta +%"PRIu64" of request %"PRIu64" reduced to %"PRIu64"\n", delta_original, val, delta);
+ /*
+ * This works as: value = 100
+ * delta_original to inst, 20;
+ * delta reduced to 5:
+ * 100 - (20 - 5) == 85;
+ * so if you recalculated delta now (val - inst), it would be 5.
+ */
+ val = val - (delta_original - delta);
}
}
+ if (inst->inst_cache.c_maxsize < MINCACHESIZE || val < MINCACHESIZE) {
+ slapi_log_err(SLAPI_LOG_ERR, "ldbm_instance_config_cachememsize_set", "force a minimal value %"PRIu64"\n", MINCACHESIZE);
+ /* This value will trigger an autotune next start up, but it should increase only */
+ val = MINCACHESIZE;
+ }
cache_set_max_size(&(inst->inst_cache), val, CACHE_TYPE_ENTRY);
}
diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
index 0c76580..d9547d8 100644
--- a/ldap/servers/slapd/slapi-private.h
+++ b/ldap/servers/slapd/slapi-private.h
@@ -1392,7 +1392,7 @@ typedef enum _util_cachesize_result {
* \return util_cachesize_result.
* \sa util_cachesize_result, spal_meminfo_get
*/
-util_cachesize_result util_is_cachesize_sane(slapi_pal_meminfo *mi, size_t *cachesize);
+util_cachesize_result util_is_cachesize_sane(slapi_pal_meminfo *mi, uint64_t *cachesize);
/**
* Retrieve the number of threads the server should run with based on this hardware.
diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c
index 012e83d..4ff6d41 100644
--- a/ldap/servers/slapd/util.c
+++ b/ldap/servers/slapd/util.c
@@ -1468,16 +1468,26 @@ util_is_cachesize_sane(slapi_pal_meminfo *mi, uint64_t *cachesize)
return UTIL_CACHESIZE_ERROR;
}
+ util_cachesize_result result = UTIL_CACHESIZE_VALID;
slapi_log_err(SLAPI_LOG_TRACE, "util_is_cachesize_sane", "Available bytes %"PRIu64", requested bytes %"PRIu64"\n", mi->system_available_bytes, *cachesize);
if (*cachesize > mi->system_available_bytes) {
- /* Since we are ask for more than what's available, we give 3/4 of the remaining.
+ /* Since we are ask for more than what's available, we give 1/2 of the remaining.
* the remaining system mem to the cachesize instead, and log a warning
*/
- *cachesize = (mi->system_available_bytes * 0.75);
- slapi_log_err(SLAPI_LOG_TRACE, "util_is_cachesize_sane", "Adjusted cachesize to %"PRIu64"\n", *cachesize);
- return UTIL_CACHESIZE_REDUCED;
+ uint64_t adjust_cachesize = (mi->system_available_bytes * 0.5);
+ if (adjust_cachesize > *cachesize) {
+ slapi_log_err(SLAPI_LOG_CRIT, "util_is_cachesize_sane", "Invalid adjusted cachesize is greater than request %"PRIu64, adjust_cachesize);
+ return UTIL_CACHESIZE_ERROR;
+ }
+ if (adjust_cachesize < (16 * mi->pagesize_bytes)) {
+ /* At minimum respond with 16 pages - that's 64k on x86_64 */
+ adjust_cachesize = 16 * mi->pagesize_bytes;
+ }
+ *cachesize = adjust_cachesize;
+ slapi_log_err(SLAPI_LOG_TRACE, "util_is_cachesize_sane", "Adjusted cachesize down to %"PRIu64"\n", *cachesize);
+ result = UTIL_CACHESIZE_REDUCED;
}
- return UTIL_CACHESIZE_VALID;
+ return result;
}
long
--
2.9.3

88
SOURCES/0029-Ticket-49454-SSL-Client-Authentication-breaks-in-FIP.patch Normal file
View file

@ -0,0 +1,88 @@
From b1dfe53aaf7cb0260286423b9abf7d71f8edd421 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Wed, 15 Nov 2017 13:27:58 -0500
Subject: [PATCH] Ticket 49454 - SSL Client Authentication breaks in FIPS mode
Bug Description: Replication using SSL Client Auth breaks when FIPS
is enabled. This is because FIPS mode changes the
internal certificate token name.
Fix Description: If FIPS is enabled grab the token name from the internal
slot instead of using the default hardcoded internal
token name.
https://pagure.io/389-ds-base/issue/49454
Reviewed by: firstyear(Thanks!)
(cherry picked from commit 6e794a8eff213d49c933f781006e234984160db2)
---
ldap/servers/slapd/proto-slap.h | 1 +
ldap/servers/slapd/security_wrappers.c | 6 ++++++
ldap/servers/slapd/ssl.c | 24 +++++++++++++++++-------
3 files changed, 24 insertions(+), 7 deletions(-)
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index 4a30def8b..3b7ab53b2 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -1130,6 +1130,7 @@ PRBool slapd_pk11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type);
PK11SymKey *slapd_pk11_PubUnwrapSymKeyWithFlagsPerm(SECKEYPrivateKey *wrappingKey, SECItem *wrappedKey, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize, CK_FLAGS flags, PRBool isPerm);
PK11SymKey *slapd_pk11_TokenKeyGenWithFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param, int keySize, SECItem *keyid, CK_FLAGS opFlags, PK11AttrFlags attrFlags, void *wincx);
CK_MECHANISM_TYPE slapd_PK11_GetPBECryptoMechanism(SECAlgorithmID *algid, SECItem **params, SECItem *pwitem);
+char *slapd_PK11_GetTokenName(PK11SlotInfo *slot);
/*
* start_tls_extop.c
diff --git a/ldap/servers/slapd/security_wrappers.c b/ldap/servers/slapd/security_wrappers.c
index bec28d2f3..41fe03608 100644
--- a/ldap/servers/slapd/security_wrappers.c
+++ b/ldap/servers/slapd/security_wrappers.c
@@ -401,3 +401,9 @@ slapd_PK11_GetPBECryptoMechanism(SECAlgorithmID *algid, SECItem **params, SECIte
{
return PK11_GetPBECryptoMechanism(algid, params, pwitem);
}
+
+char *
+slapd_PK11_GetTokenName(PK11SlotInfo *slot)
+{
+ return PK11_GetTokenName(slot);
+}
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index efe32d5d0..52ac7ea9f 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -2365,13 +2365,23 @@ slapd_SSL_client_auth(LDAP *ld)
ssltoken = slapi_entry_attr_get_charptr(entry, "nsssltoken");
if (ssltoken && personality) {
if (!PL_strcasecmp(ssltoken, "internal") ||
- !PL_strcasecmp(ssltoken, "internal (software)")) {
-
- /* Translate config internal name to more
- * readable form. Certificate name is just
- * the personality for internal tokens.
- */
- token = slapi_ch_strdup(internalTokenName);
+ !PL_strcasecmp(ssltoken, "internal (software)"))
+ {
+ if ( slapd_pk11_isFIPS() ) {
+ /*
+ * FIPS mode changes the internal token name, so we need to
+ * grab the new token name from the internal slot.
+ */
+ PK11SlotInfo *slot = slapd_pk11_getInternalSlot();
+ token = slapi_ch_strdup(slapd_PK11_GetTokenName(slot));
+ PK11_FreeSlot(slot);
+ } else {
+ /*
+ * Translate config internal name to more readable form.
+ * Certificate name is just the personality for internal tokens.
+ */
+ token = slapi_ch_strdup(internalTokenName);
+ }
#if defined(USE_OPENLDAP)
/* openldap needs tokenname:certnick */
PR_snprintf(cert_name, sizeof(cert_name), "%s:%s", token, personality);
--
2.13.6

328
SOURCES/0030-Ticket-49231-fix-sasl-mech-handling.patch
View file

@ -1,328 +0,0 @@
From 88a0ce3c3f89244a77dfa618c8a5064bda30f376 Mon Sep 17 00:00:00 2001
From: William Brown <firstyear@redhat.com>
Date: Wed, 26 Apr 2017 15:48:30 +1000
Subject: [PATCH] Ticket 49231 - fix sasl mech handling
Bug Description: In our sasl code we had two issues. One was that
we did not correctly apply the list of sasl allowed mechs to our
rootdse list in ids_sasl_listmech. The second was that on config
reset, we did not correctly set null to the value.
Fix Description: Fix the handling of the mech lists to allow
reset, and allow the mech list to be updated properly.
https://pagure.io/389-ds-base/issue/49231
Author: wibrown
Review by: mreynolds (Thanks!)
---
dirsrvtests/tests/suites/sasl/allowed_mechs.py | 43 ++++++++++++++++++
ldap/servers/slapd/charray.c | 48 +++++++++++++++++---
ldap/servers/slapd/libglobs.c | 62 ++++++++++++++++++++------
ldap/servers/slapd/proto-slap.h | 1 +
ldap/servers/slapd/saslbind.c | 21 ++++++++-
ldap/servers/slapd/slap.h | 1 +
ldap/servers/slapd/slapi-private.h | 1 +
7 files changed, 156 insertions(+), 21 deletions(-)
create mode 100644 dirsrvtests/tests/suites/sasl/allowed_mechs.py
diff --git a/dirsrvtests/tests/suites/sasl/allowed_mechs.py b/dirsrvtests/tests/suites/sasl/allowed_mechs.py
new file mode 100644
index 0000000..a3e385e
--- /dev/null
+++ b/dirsrvtests/tests/suites/sasl/allowed_mechs.py
@@ -0,0 +1,43 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2017 Red Hat, Inc.
+# All rights reserved.
+#
+# License: GPL (version 3 or any later version).
+# See LICENSE for details.
+# --- END COPYRIGHT BLOCK ---
+#
+
+import pytest
+import ldap
+
+import time
+
+from lib389.topologies import topology_st
+
+def test_sasl_allowed_mechs(topology_st):
+ standalone = topology_st.standalone
+
+ # Get the supported mechs. This should contain PLAIN, GSSAPI, EXTERNAL at least
+ orig_mechs = standalone.rootdse.supported_sasl()
+ print(orig_mechs)
+ assert('GSSAPI' in orig_mechs)
+ assert('PLAIN' in orig_mechs)
+ assert('EXTERNAL' in orig_mechs)
+
+ # Now edit the supported mechs. CHeck them again.
+ standalone.config.set('nsslapd-allowed-sasl-mechanisms', 'EXTERNAL, PLAIN')
+
+ limit_mechs = standalone.rootdse.supported_sasl()
+ print(limit_mechs)
+ assert('PLAIN' in limit_mechs)
+ assert('EXTERNAL' in limit_mechs)
+ assert('GSSAPI' not in limit_mechs)
+
+ # Do a config reset
+ standalone.config.reset('nsslapd-allowed-sasl-mechanisms')
+
+ # check the supported list is the same as our first check.
+ final_mechs = standalone.rootdse.supported_sasl()
+ print(final_mechs)
+ assert(set(final_mechs) == set(orig_mechs))
+
diff --git a/ldap/servers/slapd/charray.c b/ldap/servers/slapd/charray.c
index 5551dcc..6b89714 100644
--- a/ldap/servers/slapd/charray.c
+++ b/ldap/servers/slapd/charray.c
@@ -348,8 +348,9 @@ slapi_str2charray_ext( char *str, char *brkstr, int allow_dups )
}
}
- if ( !dup_found )
+ if ( !dup_found ) {
res[i++] = slapi_ch_strdup( s );
+ }
}
res[i] = NULL;
@@ -413,10 +414,11 @@ charray_subtract(char **a, char **b, char ***c)
char **bp, **cp, **tmp;
char **p;
- if (c)
+ if (c) {
tmp = *c = cool_charray_dup(a);
- else
+ } else {
tmp = a;
+ }
for (cp = tmp; cp && *cp; cp++) {
for (bp = b; bp && *bp; bp++) {
@@ -433,12 +435,48 @@ charray_subtract(char **a, char **b, char ***c)
for (p = cp+1; *p && *p == (char *)SUBTRACT_DEL; p++)
;
*cp = *p;
- if (*p == NULL)
+ if (*p == NULL) {
break;
- else
+ } else {
*p = SUBTRACT_DEL;
+ }
+ }
+ }
+}
+
+/*
+ * Provides the intersection of two arrays.
+ * IE if you have:
+ * (A, B, C)
+ * (B, D, E)
+ * result is (B,)
+ * a and b are NOT consumed in the process.
+ */
+char **
+charray_intersection(char **a, char **b) {
+ char **result;
+ size_t rp = 0;
+
+ if (a == NULL || b == NULL) {
+ return NULL;
+ }
+
+ size_t a_len = 0;
+ /* Find how long A is. */
+ for (; a[a_len] != NULL; a_len++);
+
+ /* Allocate our result, it can't be bigger than A */
+ result = (char **)slapi_ch_calloc(1, sizeof(char *) * (a_len + 1));
+
+ /* For each in A, see if it's in b */
+ for (size_t i = 0; a[i] != NULL; i++) {
+ if (charray_get_index(b, a[i]) != -1) {
+ result[rp] = slapi_ch_strdup(a[i]);
+ rp++;
}
}
+
+ return result;
}
int
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 0e818a9..2fc9fbf 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -7090,9 +7090,30 @@ config_set_entryusn_import_init( const char *attrname, char *value,
return retVal;
}
+char **
+config_get_allowed_sasl_mechs_array(void)
+{
+ /*
+ * array of mechs. If is null, returns NULL thanks to ch_array_dup.
+ * Caller must free!
+ */
+ char **retVal;
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+ CFG_LOCK_READ(slapdFrontendConfig);
+ retVal = slapi_ch_array_dup(slapdFrontendConfig->allowed_sasl_mechs_array);
+ CFG_UNLOCK_READ(slapdFrontendConfig);
+
+ return retVal;
+}
+
char *
-config_get_allowed_sasl_mechs()
+config_get_allowed_sasl_mechs(void)
{
+ /*
+ * Space seperated list of allowed mechs
+ * if this is NULL, means *all* mechs are allowed!
+ */
char *retVal;
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
@@ -7113,22 +7134,35 @@ config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf,
return LDAP_SUCCESS;
}
- /* cyrus sasl doesn't like comma separated lists */
- remove_commas(value);
+ /* During a reset, the value is "", so we have to handle this case. */
+ if (strcmp(value, "") != 0) {
+ /* cyrus sasl doesn't like comma separated lists */
+ remove_commas(value);
+
+ if(invalid_sasl_mech(value)){
+ slapi_log_err(SLAPI_LOG_ERR,"config_set_allowed_sasl_mechs",
+ "Invalid value/character for sasl mechanism (%s). Use ASCII "
+ "characters, upto 20 characters, that are upper-case letters, "
+ "digits, hyphens, or underscores\n", value);
+ return LDAP_UNWILLING_TO_PERFORM;
+ }
- if(invalid_sasl_mech(value)){
- slapi_log_err(SLAPI_LOG_ERR,"config_set_allowed_sasl_mechs",
- "Invalid value/character for sasl mechanism (%s). Use ASCII "
- "characters, upto 20 characters, that are upper-case letters, "
- "digits, hyphens, or underscores\n", value);
- return LDAP_UNWILLING_TO_PERFORM;
+ CFG_LOCK_WRITE(slapdFrontendConfig);
+ slapi_ch_free_string(&slapdFrontendConfig->allowed_sasl_mechs);
+ slapi_ch_array_free(slapdFrontendConfig->allowed_sasl_mechs_array);
+ slapdFrontendConfig->allowed_sasl_mechs = slapi_ch_strdup(value);
+ slapdFrontendConfig->allowed_sasl_mechs_array = slapi_str2charray_ext(value, " ", 0);
+ CFG_UNLOCK_WRITE(slapdFrontendConfig);
+ } else {
+ /* If this value is "", we need to set the list to *all* possible mechs */
+ CFG_LOCK_WRITE(slapdFrontendConfig);
+ slapi_ch_free_string(&slapdFrontendConfig->allowed_sasl_mechs);
+ slapi_ch_array_free(slapdFrontendConfig->allowed_sasl_mechs_array);
+ slapdFrontendConfig->allowed_sasl_mechs = NULL;
+ slapdFrontendConfig->allowed_sasl_mechs_array = NULL;
+ CFG_UNLOCK_WRITE(slapdFrontendConfig);
}
- CFG_LOCK_WRITE(slapdFrontendConfig);
- slapi_ch_free_string(&slapdFrontendConfig->allowed_sasl_mechs);
- slapdFrontendConfig->allowed_sasl_mechs = slapi_ch_strdup(value);
- CFG_UNLOCK_WRITE(slapdFrontendConfig);
-
return LDAP_SUCCESS;
}
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index fdb4bf0..9696ead 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -553,6 +553,7 @@ size_t config_get_ndn_cache_size(void);
int config_get_ndn_cache_enabled(void);
int config_get_return_orig_type_switch(void);
char *config_get_allowed_sasl_mechs(void);
+char **config_get_allowed_sasl_mechs_array(void);
int config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf, int apply);
int config_get_schemamod(void);
int config_set_ignore_vattrs(const char *attrname, char *value, char *errorbuf, int apply);
diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
index 2d6fb64..6e544e6 100644
--- a/ldap/servers/slapd/saslbind.c
+++ b/ldap/servers/slapd/saslbind.c
@@ -744,7 +744,10 @@ void ids_sasl_server_new(Connection *conn)
*/
char **ids_sasl_listmech(Slapi_PBlock *pb)
{
- char **ret, **others;
+ char **ret;
+ char **config_ret;
+ char **sup_ret;
+ char **others;
const char *str;
char *dupstr;
sasl_conn_t *sasl_conn;
@@ -754,7 +757,7 @@ char **ids_sasl_listmech(Slapi_PBlock *pb)
PR_ASSERT(pb);
/* hard-wired mechanisms and slapi plugin registered mechanisms */
- ret = slapi_get_supported_saslmechanisms_copy();
+ sup_ret = slapi_get_supported_saslmechanisms_copy();
if (pb->pb_conn == NULL) return ret;
@@ -777,6 +780,20 @@ char **ids_sasl_listmech(Slapi_PBlock *pb)
}
PR_ExitMonitor(pb->pb_conn->c_mutex);
+ /* Get the servers "allowed" list */
+ config_ret = config_get_allowed_sasl_mechs_array();
+
+ /* Remove any content that isn't in the allowed list */
+ if (config_ret != NULL) {
+ /* Get the set of supported mechs in the insection of the two */
+ ret = charray_intersection(sup_ret, config_ret);
+ charray_free(sup_ret);
+ charray_free(config_ret);
+ } else {
+ /* The allowed list was empty, just take our supported list. */
+ ret = sup_ret;
+ }
+
slapi_log_err(SLAPI_LOG_TRACE, "ids_sasl_listmech", "<=\n");
return ret;
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index abfad20..5e44cc8 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -2577,6 +2577,7 @@ typedef struct _slapdFrontendConfig {
int pagedsizelimit;
char *default_naming_context; /* Default naming context (normalized) */
char *allowed_sasl_mechs; /* comma/space separated list of allowed sasl mechs */
+ char **allowed_sasl_mechs_array; /* Array of allow sasl mechs */
int sasl_max_bufsize; /* The max receive buffer size for SASL */
/* disk monitoring */
diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
index d9547d8..3f732e8 100644
--- a/ldap/servers/slapd/slapi-private.h
+++ b/ldap/servers/slapd/slapi-private.h
@@ -831,6 +831,7 @@ int charray_remove(char **a, const char *s, int freeit);
char ** cool_charray_dup( char **a );
void cool_charray_free( char **array );
void charray_subtract( char **a, char **b, char ***c );
+char **charray_intersection(char **a, char **b);
int charray_get_index(char **array, char *s);
int charray_normdn_add(char ***chararray, char *dn, char *errstr);
--
2.9.3

1029
SOURCES/0030-Ticket-49435-Fix-NS-race-condition-on-loaded-test-sy.patch Normal file
View file

File diff suppressed because it is too large Load diff

50
SOURCES/0031-Ticket-49230-slapi_register_plugin-creates-config-en.patch
View file

@ -1,50 +0,0 @@
From 91a162d66c2fe239c009f1ee16974d310b333e7e Mon Sep 17 00:00:00 2001
From: Thierry Bordaz <tbordaz@redhat.com>
Date: Fri, 21 Apr 2017 17:16:55 +0200
Subject: [PATCH] Ticket 49230 - slapi_register_plugin creates config entry
where it should not
Bug Description:
slapi-register-plugin systematically create an entry under
'cn=plugins,cn=config' because it is not taking into account
the flag 'add_entry in 'plugin_setup'.
This is potentially a regression introduced by
https://pagure.io/389-ds-base/issue/49066 (TBC)
Fix Description:
Test 'add_entry' before adding the entry
https://pagure.io/389-ds-base/issue/49230
Review by: Mark Reynolds, William Brown
---
ldap/servers/slapd/plugin.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/ldap/servers/slapd/plugin.c b/ldap/servers/slapd/plugin.c
index ac8306f..a5e0724 100644
--- a/ldap/servers/slapd/plugin.c
+++ b/ldap/servers/slapd/plugin.c
@@ -3132,11 +3132,13 @@ plugin_setup(Slapi_Entry *plugin_entry, struct slapi_componentid *group,
add_plugin_entry_dn(dn_copy);
}
- /* make a copy of the plugin entry for our own use because it will
- be freed later by the caller */
- Slapi_Entry *e_copy = slapi_entry_dup(plugin_entry);
- /* new_plugin_entry(&plugin_entries, plugin_entry, plugin); */
- new_plugin_entry(&dep_plugin_entries, e_copy, plugin);
+ if (add_entry) {
+ /* make a copy of the plugin entry for our own use because it will
+ be freed later by the caller */
+ Slapi_Entry *e_copy = slapi_entry_dup(plugin_entry);
+ /* new_plugin_entry(&plugin_entries, plugin_entry, plugin); */
+ new_plugin_entry(&dep_plugin_entries, e_copy, plugin);
+ }
PLUGIN_CLEANUP:
if (status) {
--
2.9.3

84
SOURCES/0031-Ticket-49410-opened-connection-can-remain-no-longer-.patch Normal file
View file

@ -0,0 +1,84 @@
From 11cea14acfc11d0328013b61a3e1396e97dfe577 Mon Sep 17 00:00:00 2001
From: Thierry Bordaz <tbordaz@redhat.com>
Date: Tue, 14 Nov 2017 16:29:03 +0100
Subject: [PATCH] Ticket 49410 - opened connection can remain no longer poll,
like hanging
Bug Description:
Some opened connection are no longer poll.
Those connections has 'gettingber' toggle set although there is
no more worker thread reading it.
The reason they have gettingber set is that the last
operation had 'persistent search' flag. With such flag
gettingber is not reset.
persistent flag is set even when no persistent search/sync_repl
was received on the connection.
The problem is that the flag is tested on the wrong operation.
The tested operation can be
- the first operation when the connection entered in turbo mode
- the previous operation if several ops PDUs were read on the network
- accessing random memory
In theory testing the flag can lead to sigsev even
if it never crash
Fix Description:
The fix is to use the operation that is in the pblock
In such case pb_op is no longer used, so we can get rid of it.
In addition make pb_conn a local variable where it is used
https://pagure.io/389-ds-base/issue/49410
Reviewed by: Ludwig Krispenz, Mark Reynolds
Platforms tested: F26
Flag Day: no
Doc impact: no
---
ldap/servers/slapd/connection.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c
index 24a7a1c05..3f19b9765 100644
--- a/ldap/servers/slapd/connection.c
+++ b/ldap/servers/slapd/connection.c
@@ -1498,8 +1498,6 @@ connection_threadmain()
int maxthreads = 0;
int enable_nunc_stans = 0;
long bypasspollcnt = 0;
- Connection *pb_conn = NULL;
- Operation *pb_op = NULL;
enable_nunc_stans = config_get_enable_nunc_stans();
#if defined(hpux)
@@ -1520,6 +1518,8 @@ connection_threadmain()
}
if (!thread_turbo_flag && !more_data) {
+ Connection *pb_conn = NULL;
+
/* If more data is left from the previous connection_read_operation,
we should finish the op now. Client might be thinking it's
done sending the request and wait for the response forever.
@@ -1530,7 +1530,6 @@ connection_threadmain()
* Connection wait for new work provides the conn and op for us.
*/
slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn);
- slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op);
switch (ret) {
case CONN_NOWORK:
@@ -1786,7 +1785,7 @@ connection_threadmain()
/* total number of ops for the server */
slapi_counter_increment(ops_completed);
/* If this op isn't a persistent search, remove it */
- if (pb_op->o_flags & OP_FLAG_PS) {
+ if (op->o_flags & OP_FLAG_PS) {
PR_EnterMonitor(conn->c_mutex);
connection_release_nolock(conn); /* psearch acquires ref to conn - release this one now */
PR_ExitMonitor(conn->c_mutex);
--
2.13.6

221
SOURCES/0032-49227-ldapsearch-for-nsslapd-errorlog-level-re.patch
View file

@ -1,221 +0,0 @@
From e5f78f9f6a8cab7bfbd33e14912508183f9da283 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Thu, 20 Apr 2017 15:01:33 -0400
Subject: [PATCH] Issue 49227 - ldapsearch for nsslapd-errorlog-level returns
incorrect values
Bug Description: ldapsearch for the error log level returns the internal
bitmask value and not the value set in cn=config.
Fix Description: When setting the error log level store the initial/untouched
value in the config entry first, then set the bitmasked
global log level variable.
https://pagure.io/389-ds-base/issue/49227
Reviewed by: nhosoi(Thanks!)
---
dirsrvtests/tests/tickets/ticket49227_test.py | 111 ++++++++++++++++++++++++++
ldap/servers/slapd/configdse.c | 4 +-
ldap/servers/slapd/libglobs.c | 11 +--
ldap/servers/slapd/slap.h | 3 +-
4 files changed, 121 insertions(+), 8 deletions(-)
create mode 100644 dirsrvtests/tests/tickets/ticket49227_test.py
diff --git a/dirsrvtests/tests/tickets/ticket49227_test.py b/dirsrvtests/tests/tickets/ticket49227_test.py
new file mode 100644
index 0000000..86e0b9a
--- /dev/null
+++ b/dirsrvtests/tests/tickets/ticket49227_test.py
@@ -0,0 +1,111 @@
+import os
+import time
+import ldap
+import logging
+import pytest
+from lib389._constants import *
+from lib389.properties import *
+from lib389.tasks import *
+from lib389.utils import *
+from lib389.topologies import topology_st as topo
+
+DEBUGGING = os.getenv("DEBUGGING", default=False)
+if DEBUGGING:
+ logging.getLogger(__name__).setLevel(logging.DEBUG)
+else:
+ logging.getLogger(__name__).setLevel(logging.INFO)
+log = logging.getLogger(__name__)
+DEFAULT_LEVEL = "16384"
+
+
+def set_level(topo, level):
+ ''' Set the error log level
+ '''
+ try:
+ topo.standalone.modify_s("cn=config", [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', level)])
+ time.sleep(1)
+ except ldap.LDAPError as e:
+ log.fatal('Failed to set loglevel to %s - error: %s' % (level, str(e)))
+ assert False
+
+
+def get_level(topo):
+ ''' Set the error log level
+ '''
+ try:
+ config = topo.standalone.search_s("cn=config", ldap.SCOPE_BASE, "objectclass=top")
+ time.sleep(1)
+ return config[0].getValue('nsslapd-errorlog-level')
+ except ldap.LDAPError as e:
+ log.fatal('Failed to get loglevel - error: %s' % (str(e)))
+ assert False
+
+
+def get_log_size(topo):
+ ''' Get the errors log size
+ '''
+ statinfo = os.stat(topo.standalone.errlog)
+ return statinfo.st_size
+
+
+def test_ticket49227(topo):
+ """Set the error log to varying levels, and make sure a search for that value
+ reflects the expected value (not the bitmasked value.
+ """
+ log_size = get_log_size(topo)
+
+ # Check the default level
+ level = get_level(topo)
+ if level != DEFAULT_LEVEL:
+ log.fatal('Incorrect default logging level: %s' % (level))
+ assert False
+
+ # Set connection logging
+ set_level(topo, '8')
+ level = get_level(topo)
+ if level != '8':
+ log.fatal('Incorrect connection logging level: %s' % (level))
+ assert False
+
+ # Check the actual log
+ new_size = get_log_size(topo)
+ if new_size == log_size:
+ # Size should be different
+ log.fatal('Connection logging is not working')
+ assert False
+
+ # Set default logging using zero
+ set_level(topo, '0')
+ log_size = get_log_size(topo)
+ level = get_level(topo)
+ if level != DEFAULT_LEVEL:
+ log.fatal('Incorrect default logging level: %s' % (level))
+ assert False
+
+ # Check the actual log
+ new_size = get_log_size(topo)
+ if new_size != log_size:
+ # Size should be the size
+ log.fatal('Connection logging is still on')
+ assert False
+
+ # Set default logging using the default value
+ set_level(topo, DEFAULT_LEVEL)
+ level = get_level(topo)
+ if level != DEFAULT_LEVEL:
+ log.fatal('Incorrect default logging level: %s' % (level))
+ assert False
+
+ # Check the actual log
+ new_size = get_log_size(topo)
+ if new_size != log_size:
+ # Size should be the size
+ log.fatal('Connection logging is still on')
+ assert False
+
+if __name__ == '__main__':
+ # Run isolated
+ # -s for DEBUG mode
+ CURRENT_FILE = os.path.realpath(__file__)
+ pytest.main("-s %s" % CURRENT_FILE)
+
diff --git a/ldap/servers/slapd/configdse.c b/ldap/servers/slapd/configdse.c
index 78162c9..08d1ace 100644
--- a/ldap/servers/slapd/configdse.c
+++ b/ldap/servers/slapd/configdse.c
@@ -404,12 +404,12 @@ modify_config_dse(Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry* e, in
config_attr);
rc = LDAP_UNWILLING_TO_PERFORM;
} else if (ignore_attr_type(config_attr)) {
- slapi_log_err(SLAPI_LOG_WARNING, "modify_config_dse",
+ slapi_log_err(SLAPI_LOG_CONFIG, "modify_config_dse",
"Modification of attribute \"%s\" is not allowed, ignoring!\n",
config_attr);
} else if (SLAPI_IS_MOD_ADD(mods[i]->mod_op)) {
if (apply_mods) { /* log warning once */
- slapi_log_err(SLAPI_LOG_WARNING, "modify_config_dse",
+ slapi_log_err(SLAPI_LOG_CONFIG, "modify_config_dse",
"Adding configuration attribute \"%s\"\n",
config_attr);
}
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 2fc9fbf..bb51827 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -308,7 +308,7 @@ static struct config_get_and_set {
{CONFIG_LOGLEVEL_ATTRIBUTE, config_set_errorlog_level,
NULL, 0,
(void**)&global_slapdFrontendConfig.errorloglevel,
- CONFIG_SPECIAL_ERRORLOGLEVEL, NULL, SLAPD_DEFAULT_ERRORLOG_LEVEL_STR},
+ CONFIG_SPECIAL_ERRORLOGLEVEL, NULL, SLAPD_DEFAULT_FE_ERRORLOG_LEVEL_STR},
{CONFIG_ERRORLOG_LOGGING_ENABLED_ATTRIBUTE, NULL,
log_set_logging, SLAPD_ERROR_LOG,
(void**)&global_slapdFrontendConfig.errorlog_logging_enabled,
@@ -1597,7 +1597,7 @@ FrontendConfig_init(void) {
cfg->errorlog_minfreespace = SLAPD_DEFAULT_LOG_MINFREESPACE;
cfg->errorlog_exptime = SLAPD_DEFAULT_LOG_EXPTIME;
cfg->errorlog_exptimeunit = slapi_ch_strdup(SLAPD_INIT_LOG_EXPTIMEUNIT);
- cfg->errorloglevel = SLAPD_DEFAULT_ERRORLOG_LEVEL;
+ cfg->errorloglevel = SLAPD_DEFAULT_FE_ERRORLOG_LEVEL;
init_auditlog_logging_enabled = cfg->auditlog_logging_enabled = LDAP_OFF;
cfg->auditlog_mode = slapi_ch_strdup(SLAPD_INIT_LOG_MODE);
@@ -4474,9 +4474,10 @@ config_set_errorlog_level( const char *attrname, char *value, char *errorbuf, in
if ( apply ) {
CFG_LOCK_WRITE(slapdFrontendConfig);
- level |= SLAPD_DEFAULT_ERRORLOG_LEVEL; /* Always apply the new default error levels for now */
- slapd_ldap_debug = level;
slapdFrontendConfig->errorloglevel = level;
+ /* Set the internal value - apply the default error level */
+ level |= SLAPD_DEFAULT_ERRORLOG_LEVEL;
+ slapd_ldap_debug = level;
CFG_UNLOCK_WRITE(slapdFrontendConfig);
}
return retVal;
@@ -5771,7 +5772,7 @@ config_get_errorlog_level(){
retVal = slapdFrontendConfig->errorloglevel;
CFG_UNLOCK_READ(slapdFrontendConfig);
- return retVal;
+ return retVal |= SLAPD_DEFAULT_ERRORLOG_LEVEL;
}
/* return integer -- don't worry about locking similar to config_check_referral_mode
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index 5e44cc8..04c9b79 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -343,7 +343,8 @@ typedef void (*VFPV)(); /* takes undefined arguments */
* LDAP_DEBUG_WARNING | LDAP_DEBUG_NOTICE | LDAP_DEBUG_INFO)
*/
#define SLAPD_DEFAULT_ERRORLOG_LEVEL 266354688
-#define SLAPD_DEFAULT_ERRORLOG_LEVEL_STR "266354688"
+#define SLAPD_DEFAULT_FE_ERRORLOG_LEVEL 16384 /* frontend log level */
+#define SLAPD_DEFAULT_FE_ERRORLOG_LEVEL_STR "16384"
#define SLAPD_DEFAULT_ACCESSLOG_LEVEL 256
#define SLAPD_DEFAULT_ACCESSLOG_LEVEL_STR "256"
--
2.9.3

35
SOURCES/0032-Ticket-49443-scope-one-searches-in-1.3.7-give-incorr.patch Normal file
View file

@ -0,0 +1,35 @@
From 5f38be985bc98969b0fdaa6ece8f84b11bdddc2f Mon Sep 17 00:00:00 2001
From: Ludwig Krispenz <lkrispen@redhat.com>
Date: Thu, 9 Nov 2017 10:20:44 +0100
Subject: [PATCH] Ticket 49443 - scope one searches in 1.3.7 give incorrect
results
Bug: if a onelevel search is done for an unidexed attribute, the filter test is skipped
and all children of the search base are returned
Fix: enforce filter test if allids
Reviewed by: Mark, thanks
---
ldap/servers/slapd/back-ldbm/idl_set.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/ldap/servers/slapd/back-ldbm/idl_set.c b/ldap/servers/slapd/back-ldbm/idl_set.c
index ba39ff03f..b68e7ab76 100644
--- a/ldap/servers/slapd/back-ldbm/idl_set.c
+++ b/ldap/servers/slapd/back-ldbm/idl_set.c
@@ -349,6 +349,11 @@ idl_set_intersect(IDListSet *idl_set, backend *be)
{
IDList *result_list = NULL;
+ if (idl_set->allids) {
+ /* if any component was allids we have to apply the filtertest */
+ slapi_be_set_flag(be, SLAPI_BE_FLAG_DONT_BYPASS_FILTERTEST);
+ }
+
if (idl_set->allids != 0 && idl_set->count == 0) {
/*
* We only have allids, so must be allids.
--
2.13.6

57
SOURCES/0033-Ticket-48989-fix-perf-counters.patch
View file

@ -1,57 +0,0 @@
From a7b9a9ddbff47c2226e60e403374d5e451fac344 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 2 May 2017 13:48:33 -0400
Subject: [PATCH] Ticket 48989 - fix perf counters
Description: There was a copy & paste error where page_access_rate
was added, but it listed the wrong attribute name. However,
the page_access_rate formula doesn't make sense, nor are
there more page stats to use from Berklely DB. Because
of this I just removed page_access_rate.
https://pagure.io/389-ds-base/issue/48989
Reviewed by: firstyear(Thanks!)
(cherry picked from commit 18a77e957119bd9994833b7290747f99d73b3745)
---
ldap/servers/slapd/back-ldbm/perfctrs.c | 3 ---
ldap/servers/slapd/back-ldbm/perfctrs.h | 1 -
2 files changed, 4 deletions(-)
diff --git a/ldap/servers/slapd/back-ldbm/perfctrs.c b/ldap/servers/slapd/back-ldbm/perfctrs.c
index 5929dea..9132097 100644
--- a/ldap/servers/slapd/back-ldbm/perfctrs.c
+++ b/ldap/servers/slapd/back-ldbm/perfctrs.c
@@ -165,7 +165,6 @@ void perfctrs_update(perfctrs_private *priv, DB_ENV *db_env)
if (0 == ret) {
#define ONEG 1073741824
perf->cache_size_bytes = mpstat->st_gbytes * ONEG + mpstat->st_bytes;
- perf->page_access_rate = mpstat->st_cache_hit + mpstat->st_cache_miss;
perf->cache_hit = mpstat->st_cache_hit;
perf->cache_try = mpstat->st_cache_hit + mpstat->st_cache_miss;
perf->page_create_rate = mpstat->st_page_create;
@@ -257,8 +256,6 @@ static SlapiLDBMPerfctrATMap perfctr_at_map[] = {
offsetof( performance_counters, log_write_rate ) },
{ SLAPI_LDBM_PERFCTR_AT_PREFIX "longest-chain-length",
offsetof( performance_counters, longest_chain_length ) },
- { SLAPI_LDBM_PERFCTR_AT_PREFIX "objects-locked",
- offsetof( performance_counters, page_access_rate ) },
{ SLAPI_LDBM_PERFCTR_AT_PREFIX "page-create-rate",
offsetof( performance_counters, page_create_rate ) },
{ SLAPI_LDBM_PERFCTR_AT_PREFIX "page-read-rate",
diff --git a/ldap/servers/slapd/back-ldbm/perfctrs.h b/ldap/servers/slapd/back-ldbm/perfctrs.h
index 64c79e1..a6213ec 100644
--- a/ldap/servers/slapd/back-ldbm/perfctrs.h
+++ b/ldap/servers/slapd/back-ldbm/perfctrs.h
@@ -32,7 +32,6 @@ struct _performance_counters {
uint64_t log_write_rate;
uint64_t log_bytes_since_checkpoint;
uint64_t cache_size_bytes;
- uint64_t page_access_rate;
uint64_t cache_hit;
uint64_t cache_try;
uint64_t page_create_rate;
--
2.9.3

1048
SOURCES/0033-Ticket-49441-Import-crashes-with-large-indexed-binar.patch Normal file
View file

File diff suppressed because it is too large Load diff

41
SOURCES/0034-Ticket-48681-logconv.pl-fix-sasl-bind-stats.patch
View file

@ -1,41 +0,0 @@
From e9514af2fed9f882a8d11d509ffb99e49a304438 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 2 May 2017 16:49:59 -0400
Subject: [PATCH] Ticket 48681 - logconv.pl - fix sasl/bind stats
Description: Fixed the bind and sasl bind total counts, also adjusted the
v3 bind count to match the sasl bind.
https://pagure.io/389-ds-base/issue/48681
Reviewed by: firstyear(Thanks!)
(cherry picked from commit 770bf3a2341f1ea2e0778a6443b0f89ed77e73af)
---
ldap/admin/src/logconv.pl | 3 +++
1 file changed, 3 insertions(+)
diff --git a/ldap/admin/src/logconv.pl b/ldap/admin/src/logconv.pl
index 96639f2..c30e175 100755
--- a/ldap/admin/src/logconv.pl
+++ b/ldap/admin/src/logconv.pl
@@ -2533,6 +2533,7 @@ sub parseLineNormal
}
if (/ BIND / && /method=sasl/i){
$saslBindCount++;
+ $bindCount++;
if ($_ =~ /mech=(.*)/i ){
my $mech = $1;
$hashes->{saslmech}->{$mech}++;
@@ -2550,6 +2551,8 @@ sub parseLineNormal
if (/ RESULT err=14 tag=97 / && / SASL bind in progress/){
# Drop the sasl bind count since this is step in the bind process
$saslBindCount--;
+ $bindCount--;
+ $v3BindCount--;
my ($conn, $op);
if ($_ =~ /conn= *([0-9A-Z]+) +op= *([0-9\-]+)/i){
$conn = $1;
--
2.9.3

43
SOURCES/0034-Ticket-49441-Import-crashes-oneline-fix.patch Normal file
View file

@ -0,0 +1,43 @@
From 2c868707b3ae1a4255ea33610b177f8a98f4a3f3 Mon Sep 17 00:00:00 2001
From: William Brown <firstyear@redhat.com>
Date: Tue, 7 Nov 2017 17:09:18 +1000
Subject: [PATCH] Ticket 49441 - Import crashes - oneline fix
Bug Description: index.c fails to compile.
Fix Description: Excess braces due to copy paste issue.
https://pagure.io/389-ds-base/issue/49441
Author: wibrown
Review by: oneline rule
(cherry picked from commit be4d7e5a82c1616317fa52968d2814e3f922254c)
---
ldap/servers/slapd/back-ldbm/index.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/ldap/servers/slapd/back-ldbm/index.c b/ldap/servers/slapd/back-ldbm/index.c
index a565db87b..587f4d991 100644
--- a/ldap/servers/slapd/back-ldbm/index.c
+++ b/ldap/servers/slapd/back-ldbm/index.c
@@ -1778,7 +1778,6 @@ addordel_values(
key.flags = DB_DBT_USERMEM;
key.ulen = tmpbuflen;
if (slapi_is_loglevel_set(LDAP_DEBUG_TRACE)) {
- {
char encbuf[BUFSIZ];
slapi_log_err(SLAPI_LOG_TRACE, "addordel_values", "%s_value(\"%s\")\n",
@@ -1943,7 +1942,6 @@ addordel_values_sv(
key.ulen = tmpbuflen;
if (slapi_is_loglevel_set(LDAP_DEBUG_TRACE)) {
- {
char encbuf[BUFSIZ];
slapi_log_err(SLAPI_LOG_TRACE, "addordel_values_sv", "%s_value(\"%s\")\n",
--
2.13.6

51
SOURCES/0035-Ticket-49241-Update-man-page-and-usage-for-db2bak.pl.patch
View file

@ -1,51 +0,0 @@
From cdcc387f6f1287da1edda418d746e6c2c772e5bd Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Thu, 4 May 2017 15:44:51 -0400
Subject: [PATCH] Ticket 49241 - Update man page and usage for db2bak.pl
Description: The usage and man page should state thtthe backup directory
is actually a symlink to the the server's backup directory.
Otherwise it is misleading, and could eventaully lead to
diskspace issues.
https://pagure.io/389-ds-base/issue/49241
Reviewed by: firstyear(Thanks!)
(cherry picked from commit 0804c43991fa29ef7bd946b3e5a37844e2b87da4)
---
ldap/admin/src/scripts/db2bak.pl.in | 4 ++--
man/man8/db2bak.pl.8 | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/ldap/admin/src/scripts/db2bak.pl.in b/ldap/admin/src/scripts/db2bak.pl.in
index c73caa1..73d4187 100644
--- a/ldap/admin/src/scripts/db2bak.pl.in
+++ b/ldap/admin/src/scripts/db2bak.pl.in
@@ -33,8 +33,8 @@ sub usage {
print(STDERR " -w - - Prompt for Directory Manager's password\n");
print(STDERR " -Z serverID - Server instance identifier\n");
print(STDERR " -j filename - Read Directory Manager's password from file\n");
- print(STDERR " -A backupdir - Backup directory (backupdir/ID-<date_time>)\n");
- print(STDERR " -a backupdir - Backup directory\n");
+ print(STDERR " -A backupdir - Backup directory symlink(backupdir/ID-<date_time>)\n");
+ print(STDERR " -a backupdir - Backup directory symlink\n");
print(STDERR " -t dbtype - Database type (default: ldbm database)\n");
print(STDERR " -P protocol - STARTTLS, LDAPS, LDAPI, LDAP (default: uses most secure protocol available)\n");
print(STDERR " -h - Display usage\n");
diff --git a/man/man8/db2bak.pl.8 b/man/man8/db2bak.pl.8
index a752885..c51ccae 100644
--- a/man/man8/db2bak.pl.8
+++ b/man/man8/db2bak.pl.8
@@ -47,7 +47,7 @@ The name of the file that contains the root DN password.
The backend database type (default: ldbm database).
.TP
.B \fB\-a\fR \fIbackupdir\fR
-The directory where the backup should be stored.
+The directory where the backup should be stored. This directory is a symbolic link to the actual backup files located under "nsslapd-bakdir" directory that is set in the "cn=config" entry.
.TP
.B \fB\-A\fR \fIbackupdir\fR
This is similar to \fB-a\fR, except that a sub-directory of \fIbackupdir\fR will be created for the backup, and the name of the sub-directory will be a timestamp of the form \fIserver-instance-date_time\fR.
--
2.9.3

44
SOURCES/0035-Ticket-49377-Incoming-BER-too-large-with-TLS-on-plai.patch Normal file
View file

@ -0,0 +1,44 @@
From 40811ab7571ddf0a6905b3b019229bdb555bd04d Mon Sep 17 00:00:00 2001
From: William Brown <firstyear@redhat.com>
Date: Tue, 7 Nov 2017 12:42:11 +1000
Subject: [PATCH] Ticket 49377 - Incoming BER too large with TLS on plain port
Bug Description: When doing TLS to a plain port, a message of
"ber element 3 bytes too large for max ber" when max ber > 3.
Fix Description: When ber_len < maxber, report that the request
may be misformed instead of "oversize" instead. This can lead
to a better diagnosis.
https://pagure.io/389-ds-base/issue/49377
Author: wibrown
Review by: mreynolds (thanks!)
Cherry picked from commit b3629af054760d9421a41d63b8b8ed513bb6944d
---
ldap/servers/slapd/connection.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c
index 3f19b9765..8ef115691 100644
--- a/ldap/servers/slapd/connection.c
+++ b/ldap/servers/slapd/connection.c
@@ -2176,6 +2176,13 @@ log_ber_too_big_error(const Connection *conn, ber_len_t ber_len, ber_len_t maxbe
" is %" BERLEN_T " bytes. Change the nsslapd-maxbersize attribute in"
" cn=config to increase.\n",
conn->c_connid, conn->c_sd, maxbersize);
+ } else if (ber_len < maxbersize) {
+ /* This means the request was misformed, not too large. */
+ slapi_log_err(SLAPI_LOG_ERR, "log_ber_too_big_error",
+ "conn=%" PRIu64 " fd=%d Incoming BER Element may be misformed. "
+ "This may indicate an attempt to use TLS on a plaintext port, "
+ "IE ldaps://localhost:389. Check your client LDAP_URI settings.\n",
+ conn->c_connid, conn->c_sd);
} else {
slapi_log_err(SLAPI_LOG_ERR, "log_ber_too_big_error",
"conn=%" PRIu64 " fd=%d Incoming BER Element was %" BERLEN_T " bytes, max allowable"
--
2.13.6

244
SOURCES/0036-Ticket-48118-At-startup-changelog-can-be-erronously-.patch Normal file
View file

@ -0,0 +1,244 @@
From 127e0d954eb7741c4afdc0305f7970b7ea164e8d Mon Sep 17 00:00:00 2001
From: Ludwig Krispenz <lkrispen@redhat.com>
Date: Thu, 9 Nov 2017 11:28:34 +0100
Subject: [PATCH] Ticket 48118 - At startup, changelog can be erronously
rebuilt after a normal shutdown
Problem: There are two problems that can lead to inconsistent database and changelog maxruv:
1] the database ruv is written periodically in th ehouskeeping thread and at shutdown. It
relies on teh ruv_dirty flag, but due to a race condition this can be reset befor writing
the ruv
2] the changelog max ruv is updated whenever an operation is commutted, but in case of internal
operations inside the txn for a client operation, if the operation is aborted the cl maxruv
is not reset. Since it is only written at shutdown this normally is no problem, but if the
aborted operation is the last before shutdown or is aborted by shutdown the cl ruv is incorrect
Fix: the fix is in two parts:
1] remove the use of the dirty flag, ensure that the ruv is always written. The overhead for writing
a database ruv that has not changed is minimal
2] when writing the changelog maxruv check if the macsns it contains are really present in the
changelog. If not the maxruv is not written, it will be reconstructed at the next startup
Reviewed by: William,Thierry - Thanks
---
ldap/servers/plugins/replication/cl5_api.c | 39 ++++++++++++++++++++++
ldap/servers/plugins/replication/repl5.h | 1 -
ldap/servers/plugins/replication/repl5_replica.c | 32 +-----------------
.../plugins/replication/repl5_replica_config.c | 2 --
4 files changed, 40 insertions(+), 34 deletions(-)
diff --git a/ldap/servers/plugins/replication/cl5_api.c b/ldap/servers/plugins/replication/cl5_api.c
index ec648c014..55032dfb0 100644
--- a/ldap/servers/plugins/replication/cl5_api.c
+++ b/ldap/servers/plugins/replication/cl5_api.c
@@ -250,6 +250,8 @@ static void _cl5ReadBerval(struct berval *bv, char **buff);
static void _cl5WriteBerval(struct berval *bv, char **buff);
static int _cl5ReadBervals(struct berval ***bv, char **buff, unsigned int size);
static int _cl5WriteBervals(struct berval **bv, char **buff, u_int32_t *size);
+static int64_t _cl5CheckMaxRUV(CL5DBFile *file, RUV *maxruv);
+static int64_t _cl5CheckCSNinCL(const ruv_enum_data *element, void *arg);
/* replay iteration */
#ifdef FOR_DEBUGGING
@@ -2716,6 +2718,36 @@ _cl5WriteBervals(struct berval **bv, char **buff, u_int32_t *size)
return CL5_SUCCESS;
}
+static int64_t
+_cl5CheckCSNinCL(const ruv_enum_data *element, void *arg)
+{
+ CL5DBFile *file = (CL5DBFile *)arg;
+ int rc = 0;
+
+ DBT key = {0}, data = {0};
+ char csnStr[CSN_STRSIZE];
+
+ /* construct the key */
+ key.data = csn_as_string(element->csn, PR_FALSE, csnStr);
+ key.size = CSN_STRSIZE;
+
+ data.flags = DB_DBT_MALLOC;
+
+ rc = file->db->get(file->db, NULL /*txn*/, &key, &data, 0);
+
+ slapi_ch_free(&(data.data));
+ return rc;
+}
+
+static int64_t
+_cl5CheckMaxRUV(CL5DBFile *file, RUV *maxruv)
+{
+ int rc = 0;
+
+ rc = ruv_enumerate_elements(maxruv, _cl5CheckCSNinCL, (void *)file);
+
+ return rc;
+}
/* upgrade from db33 to db41
* 1. Run recovery on the database environment using the DB_ENV->open method
* 2. Remove any Berkeley DB environment using the DB_ENV->remove method
@@ -4010,6 +4042,13 @@ _cl5WriteRUV(CL5DBFile *file, PRBool purge)
rc = ruv_to_bervals(file->maxRUV, &vals);
}
+ if (!purge && _cl5CheckMaxRUV(file, file->maxRUV)) {
+ slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name_cl,
+ "_cl5WriteRUV - changelog maxRUV not found in changelog for file %s\n",
+ file->name);
+ return CL5_DB_ERROR;
+ }
+
key.size = CSN_STRSIZE;
rc = _cl5WriteBervals(vals, &buff, &data.size);
diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h
index c6e79b7e2..4e206a0fc 100644
--- a/ldap/servers/plugins/replication/repl5.h
+++ b/ldap/servers/plugins/replication/repl5.h
@@ -725,7 +725,6 @@ Object *replica_get_for_backend(const char *be_name);
void replica_set_purge_delay(Replica *r, uint32_t purge_delay);
void replica_set_tombstone_reap_interval(Replica *r, long interval);
void replica_update_ruv_consumer(Replica *r, RUV *supplier_ruv);
-void replica_set_ruv_dirty(Replica *r);
Slapi_Entry *get_in_memory_ruv(Slapi_DN *suffix_sdn);
int replica_write_ruv(Replica *r);
char *replica_get_dn(Replica *r);
diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c
index e5296bf1c..77f4f18e4 100644
--- a/ldap/servers/plugins/replication/repl5_replica.c
+++ b/ldap/servers/plugins/replication/repl5_replica.c
@@ -41,7 +41,6 @@ struct replica
ReplicaType repl_type; /* is this replica read-only ? */
ReplicaId repl_rid; /* replicaID */
Object *repl_ruv; /* replica update vector */
- PRBool repl_ruv_dirty; /* Dirty flag for ruv */
CSNPL *min_csn_pl; /* Pending list for minimal CSN */
void *csn_pl_reg_id; /* registration assignment for csn callbacks */
unsigned long repl_state_flags; /* state flags */
@@ -788,7 +787,6 @@ replica_set_ruv(Replica *r, RUV *ruv)
}
r->repl_ruv = object_new((void *)ruv, (FNFree)ruv_destroy);
- r->repl_ruv_dirty = PR_TRUE;
replica_unlock(r->repl_lock);
}
@@ -860,9 +858,6 @@ replica_update_ruv(Replica *r, const CSN *updated_csn, const char *replica_purl)
"to update RUV for replica %s, csn = %s\n",
slapi_sdn_get_dn(r->repl_root),
csn_as_string(updated_csn, PR_FALSE, csn_str));
- } else {
- /* RUV updated - mark as dirty */
- r->repl_ruv_dirty = PR_TRUE;
}
} else {
slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name,
@@ -1347,8 +1342,6 @@ replica_dump(Replica *r)
slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, "\tupdate dn: %s\n",
updatedn_list ? updatedn_list : "not configured");
slapi_ch_free_string(&updatedn_list);
- slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, "\truv: %s configured and is %sdirty\n",
- r->repl_ruv ? "" : "not", r->repl_ruv_dirty ? "" : "not ");
slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, "\tCSN generator: %s configured\n",
r->repl_csngen ? "" : "not");
/* JCMREPL - Dump Referrals */
@@ -1675,7 +1668,6 @@ replica_check_for_data_reload(Replica *r, void *arg __attribute__((unused)))
ruv_force_csn_update_from_ruv(upper_bound_ruv, r_ruv,
"Force update of database RUV (from CL RUV) -> ", SLAPI_LOG_NOTICE);
- replica_set_ruv_dirty(r);
}
} else {
@@ -2778,11 +2770,6 @@ replica_write_ruv(Replica *r)
replica_lock(r->repl_lock);
- if (!r->repl_ruv_dirty) {
- replica_unlock(r->repl_lock);
- return rc;
- }
-
PR_ASSERT(r->repl_ruv);
ruv_to_smod((RUV *)object_get_data(r->repl_ruv), &smod);
@@ -2817,14 +2804,10 @@ replica_write_ruv(Replica *r)
/* ruv does not exist - create one */
replica_lock(r->repl_lock);
- if (rc == LDAP_SUCCESS) {
- r->repl_ruv_dirty = PR_FALSE;
- } else if (rc == LDAP_NO_SUCH_OBJECT) {
+ if (rc == LDAP_NO_SUCH_OBJECT) {
/* this includes an internal operation - but since this only happens
during server startup - its ok that we have lock around it */
rc = _replica_configure_ruv(r, PR_TRUE);
- if (rc == 0)
- r->repl_ruv_dirty = PR_FALSE;
} else /* error */
{
slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name,
@@ -3325,7 +3308,6 @@ replica_create_ruv_tombstone(Replica *r)
if (ruv_init_new(csnstr, r->repl_rid, purl, &ruv) == RUV_SUCCESS) {
r->repl_ruv = object_new((void *)ruv, (FNFree)ruv_destroy);
- r->repl_ruv_dirty = PR_TRUE;
return_value = LDAP_SUCCESS;
} else {
slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_create_ruv_tombstone - "
@@ -3365,8 +3347,6 @@ replica_create_ruv_tombstone(Replica *r)
slapi_add_internal_pb(pb);
e = NULL; /* add consumes e, upon success or failure */
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &return_value);
- if (return_value == LDAP_SUCCESS)
- r->repl_ruv_dirty = PR_FALSE;
done:
slapi_entry_free(e);
@@ -3630,7 +3610,6 @@ replica_strip_cleaned_rids(Replica *r)
ruv_get_cleaned_rids(ruv, rid);
while (rid[i] != 0) {
ruv_delete_replica(ruv, rid[i]);
- replica_set_ruv_dirty(r);
if (replica_write_ruv(r)) {
slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name,
"replica_strip_cleaned_rids - Failed to write RUV\n");
@@ -3744,15 +3723,6 @@ replica_update_ruv_consumer(Replica *r, RUV *supplier_ruv)
}
}
-void
-replica_set_ruv_dirty(Replica *r)
-{
- PR_ASSERT(r);
- replica_lock(r->repl_lock);
- r->repl_ruv_dirty = PR_TRUE;
- replica_unlock(r->repl_lock);
-}
-
PRBool
replica_is_state_flag_set(Replica *r, int32_t flag)
{
diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c
index 9c8d6adbb..e025f34d8 100644
--- a/ldap/servers/plugins/replication/repl5_replica_config.c
+++ b/ldap/servers/plugins/replication/repl5_replica_config.c
@@ -937,7 +937,6 @@ replica_config_change_type_and_id(Replica *r, const char *new_type, const char *
replica_reset_csn_pl(r);
}
ruv_delete_replica(ruv, oldrid);
- replica_set_ruv_dirty(r);
cl5CleanRUV(oldrid);
replica_set_csn_assigned(r);
}
@@ -1323,7 +1322,6 @@ replica_execute_cleanruv_task(Object *r, ReplicaId rid, char *returntext __attri
return LDAP_UNWILLING_TO_PERFORM;
}
rc = ruv_delete_replica(local_ruv, rid);
- replica_set_ruv_dirty(replica);
if (replica_write_ruv(replica)) {
slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, "cleanAllRUV_task - Could not write RUV\n");
}
--
2.13.6

72
SOURCES/0036-Ticket-7662-db2index-not-properly-evalauating-argume.patch
View file

@ -1,72 +0,0 @@
From 0ac013079796cafb119379e40f24559187935851 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Wed, 3 May 2017 14:50:15 -0400
Subject: [PATCH] Ticket 7662 - db2index not properly evalauating arguments
Description: Fix a regression where the argument count gets adjusted
before it is checked for errors. The fix is to copy the
number before we shift the arguments, and use that copy
for the usage check.
https://pagure.io/389-ds-base/issue/47662
Reviewed by: firstyear(Thanks!)
(cherry picked from commit 46011e24580fcee2f438506f91b9fc119306defc)
---
ldap/admin/src/scripts/db2index.in | 11 ++++++-----
ldap/servers/slapd/back-ldbm/ldif2ldbm.c | 2 +-
2 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/ldap/admin/src/scripts/db2index.in b/ldap/admin/src/scripts/db2index.in
index fec082e..04183d3 100755
--- a/ldap/admin/src/scripts/db2index.in
+++ b/ldap/admin/src/scripts/db2index.in
@@ -52,6 +52,7 @@ do
esac
done
+argnum=$#
shift $(($OPTIND - 1))
if [ $1 ]
then
@@ -71,18 +72,18 @@ fi
idxall=0
print_usage=0
-if [ -z $servid ] && [ $# -eq 0 ]; then
+if [ -z $servid ] && [ $argnum -eq 0 ]; then
idxall=1
-elif [ "$servid" ] && [ $# -eq 2 ]; then
+elif [ "$servid" ] && [ $argnum -eq 2 ]; then
idxall=1
elif [ -z $benameopt ] && [ -z $includeSuffix ]; then
print_usage=1
fi
-if [ -z $servid ] && [ $# -lt 2 ]; then
+if [ -z $servid ] && [ $argnum -lt 2 ]; then
print_usage=1
-elif [ -n "$servid" ] && [ $# -lt 4 ]; then
+elif [ -n "$servid" ] && [ $argnum -lt 4 ]; then
print_usage=1
-elif [ -n "$servid" ] && [ $# -eq 4 ]; then
+elif [ -n "$servid" ] && [ $argnum -eq 4 ]; then
idxall=1
fi
diff --git a/ldap/servers/slapd/back-ldbm/ldif2ldbm.c b/ldap/servers/slapd/back-ldbm/ldif2ldbm.c
index f8fed7c..a0710f7 100644
--- a/ldap/servers/slapd/back-ldbm/ldif2ldbm.c
+++ b/ldap/servers/slapd/back-ldbm/ldif2ldbm.c
@@ -3225,7 +3225,7 @@ upgradedb_core(Slapi_PBlock *pb, ldbm_instance *inst)
run_from_cmdline = (task_flags & SLAPI_TASK_RUNNING_FROM_COMMANDLINE);
be = inst->inst_be;
- slapi_log_err(SLAPI_LOG_ERR, "upgradedb_core",
+ slapi_log_err(SLAPI_LOG_INFO, "upgradedb_core",
"%s: Start upgradedb.\n", inst->inst_name);
if (!run_from_cmdline)
--
2.9.3

45
SOURCES/0037-Ticket-48118-fix-compiler-warning-for-incorrect-retu.patch Normal file
View file

@ -0,0 +1,45 @@
From fd06b282ffd06a5b3807c0396bff442f0c7568b1 Mon Sep 17 00:00:00 2001
From: Ludwig Krispenz <lkrispen@redhat.com>
Date: Wed, 15 Nov 2017 13:17:00 +0100
Subject: [PATCH] Ticket 48118 - fix compiler warning for incorrect return type
---
ldap/servers/plugins/replication/cl5_api.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/ldap/servers/plugins/replication/cl5_api.c b/ldap/servers/plugins/replication/cl5_api.c
index 55032dfb0..721013abf 100644
--- a/ldap/servers/plugins/replication/cl5_api.c
+++ b/ldap/servers/plugins/replication/cl5_api.c
@@ -250,8 +250,8 @@ static void _cl5ReadBerval(struct berval *bv, char **buff);
static void _cl5WriteBerval(struct berval *bv, char **buff);
static int _cl5ReadBervals(struct berval ***bv, char **buff, unsigned int size);
static int _cl5WriteBervals(struct berval **bv, char **buff, u_int32_t *size);
-static int64_t _cl5CheckMaxRUV(CL5DBFile *file, RUV *maxruv);
-static int64_t _cl5CheckCSNinCL(const ruv_enum_data *element, void *arg);
+static int32_t _cl5CheckMaxRUV(CL5DBFile *file, RUV *maxruv);
+static int32_t _cl5CheckCSNinCL(const ruv_enum_data *element, void *arg);
/* replay iteration */
#ifdef FOR_DEBUGGING
@@ -2718,7 +2718,7 @@ _cl5WriteBervals(struct berval **bv, char **buff, u_int32_t *size)
return CL5_SUCCESS;
}
-static int64_t
+static int32_t
_cl5CheckCSNinCL(const ruv_enum_data *element, void *arg)
{
CL5DBFile *file = (CL5DBFile *)arg;
@@ -2739,7 +2739,7 @@ _cl5CheckCSNinCL(const ruv_enum_data *element, void *arg)
return rc;
}
-static int64_t
+static int32_t
_cl5CheckMaxRUV(CL5DBFile *file, RUV *maxruv)
{
int rc = 0;
--
2.13.6

71
SOURCES/0037-Ticket-49075-Adjust-logging-severity-levels.patch
View file

@ -1,71 +0,0 @@
From d3771cf05358c0230c8c77d7f7dabe9219ea7c8c Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Wed, 3 May 2017 14:37:11 -0400
Subject: [PATCH] Ticket 49075 - Adjust logging severity levels
Description: There are places wherre we log a severity "ERR",
when in fact it is a benign message.
https://pagure.io/389-ds-base/issue/49075
Reviewed by: firstyear(Thanks!)
(cherry picked from commit 0762e393850f54ce8462c45321b3db084bd8a0e1)
---
ldap/servers/slapd/back-ldbm/ldbm_instance_config.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c b/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c
index 36d830d..55f1887 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c
@@ -118,10 +118,12 @@ ldbm_instance_config_cachememsize_set(void *arg, void *value, char *errorbuf, in
if (sane == UTIL_CACHESIZE_ERROR){
slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "Error: unable to determine system memory limits.");
- slapi_log_err(SLAPI_LOG_ERR, "ldbm_instance_config_cachememsize_set", "Enable to determine system memory limits.\n");
+ slapi_log_err(SLAPI_LOG_ERR, "ldbm_instance_config_cachememsize_set",
+ "Enable to determine system memory limits.\n");
return LDAP_UNWILLING_TO_PERFORM;
} else if (sane == UTIL_CACHESIZE_REDUCED) {
- slapi_log_err(SLAPI_LOG_WARNING, "ldbm_instance_config_cachememsize_set", "delta +%"PRIu64" of request %"PRIu64" reduced to %"PRIu64"\n", delta_original, val, delta);
+ slapi_log_err(SLAPI_LOG_WARNING, "ldbm_instance_config_cachememsize_set",
+ "delta +%"PRIu64" of request %"PRIu64" reduced to %"PRIu64"\n", delta_original, val, delta);
/*
* This works as: value = 100
* delta_original to inst, 20;
@@ -133,7 +135,8 @@ ldbm_instance_config_cachememsize_set(void *arg, void *value, char *errorbuf, in
}
}
if (inst->inst_cache.c_maxsize < MINCACHESIZE || val < MINCACHESIZE) {
- slapi_log_err(SLAPI_LOG_ERR, "ldbm_instance_config_cachememsize_set", "force a minimal value %"PRIu64"\n", MINCACHESIZE);
+ slapi_log_err(SLAPI_LOG_INFO, "ldbm_instance_config_cachememsize_set",
+ "force a minimal value %"PRIu64"\n", MINCACHESIZE);
/* This value will trigger an autotune next start up, but it should increase only */
val = MINCACHESIZE;
}
@@ -1134,7 +1137,7 @@ ldbm_instance_post_delete_instance_entry_callback(Slapi_PBlock *pb, Slapi_Entry*
return SLAPI_DSE_CALLBACK_ERROR;
}
- slapi_log_err(SLAPI_LOG_ERR, "ldbm_instance_post_delete_instance_entry_callback",
+ slapi_log_err(SLAPI_LOG_INFO, "ldbm_instance_post_delete_instance_entry_callback",
"Removing '%s'.\n", instance_name);
cache_destroy_please(&inst->inst_cache, CACHE_TYPE_ENTRY);
@@ -1171,9 +1174,9 @@ ldbm_instance_post_delete_instance_entry_callback(Slapi_PBlock *pb, Slapi_Entry*
dbp = PR_smprintf("%s/%s", inst_dirp, direntry->name);
if (NULL == dbp) {
slapi_log_err(SLAPI_LOG_ERR,
- "ldbm_instance_post_delete_instance_entry_callback",
- "Failed to generate db path: %s/%s\n",
- inst_dirp, direntry->name);
+ "ldbm_instance_post_delete_instance_entry_callback",
+ "Failed to generate db path: %s/%s\n",
+ inst_dirp, direntry->name);
break;
}
--
2.9.3

62
SOURCES/0038-Ticket-49231-Fix-backport-issue.patch
View file

@ -1,62 +0,0 @@
From e0d5f86c9410bd29c0e4636d3072b24228e60128 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Fri, 5 May 2017 14:58:13 -0400
Subject: [PATCH] Ticket 49231 - Fix backport issue
Description: The cherry-pick was incorrect, and caused a crash
---
ldap/servers/slapd/saslbind.c | 36 ++++++++++++++++++------------------
1 file changed, 18 insertions(+), 18 deletions(-)
diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
index 6e544e6..8d23c52 100644
--- a/ldap/servers/slapd/saslbind.c
+++ b/ldap/servers/slapd/saslbind.c
@@ -759,26 +759,26 @@ char **ids_sasl_listmech(Slapi_PBlock *pb)
/* hard-wired mechanisms and slapi plugin registered mechanisms */
sup_ret = slapi_get_supported_saslmechanisms_copy();
- if (pb->pb_conn == NULL) return ret;
+ /* If we have a connection, get the provided list from SASL */
+ if (pb->pb_conn != NULL) {
+ sasl_conn = (sasl_conn_t*)pb->pb_conn->c_sasl_conn;
- sasl_conn = (sasl_conn_t*)pb->pb_conn->c_sasl_conn;
- if (sasl_conn == NULL) return ret;
-
- /* sasl library mechanisms are connection dependent */
- PR_EnterMonitor(pb->pb_conn->c_mutex);
- if (sasl_listmech(sasl_conn,
- NULL, /* username */
- "", ",", "",
- &str, NULL, NULL) == SASL_OK) {
- slapi_log_err(SLAPI_LOG_TRACE, "ids_sasl_listmech", "sasl library mechs: %s\n", str);
- /* merge into result set */
- dupstr = slapi_ch_strdup(str);
- others = slapi_str2charray_ext(dupstr, ",", 0 /* don't list duplicate mechanisms */);
- charray_merge(&ret, others, 1);
- charray_free(others);
- slapi_ch_free((void**)&dupstr);
+ /* sasl library mechanisms are connection dependent */
+ PR_EnterMonitor(pb->pb_conn->c_mutex);
+ if (sasl_listmech(sasl_conn,
+ NULL, /* username */
+ "", ",", "",
+ &str, NULL, NULL) == SASL_OK) {
+ slapi_log_err(SLAPI_LOG_TRACE, "ids_sasl_listmech", "sasl library mechs: %s\n", str);
+ /* merge into result set */
+ dupstr = slapi_ch_strdup(str);
+ others = slapi_str2charray_ext(dupstr, ",", 0 /* don't list duplicate mechanisms */);
+ charray_merge(&ret, others, 1);
+ charray_free(others);
+ slapi_ch_free((void**)&dupstr);
+ }
+ PR_ExitMonitor(pb->pb_conn->c_mutex);
}
- PR_ExitMonitor(pb->pb_conn->c_mutex);
/* Get the servers "allowed" list */
config_ret = config_get_allowed_sasl_mechs_array();
--
2.9.3

210
SOURCES/0038-Ticket-49298-Correct-error-codes-with-config-restore.patch Normal file
View file

@ -0,0 +1,210 @@
From e3dea0043973faf42f7756d840bc55aa8f143eb1 Mon Sep 17 00:00:00 2001
From: William Brown <firstyear@redhat.com>
Date: Wed, 15 Nov 2017 13:44:02 +1000
Subject: [PATCH] Ticket 49298 - Correct error codes with config restore.
Bug Description: The piece of code uses 0 as an error - not 1,
and in some cases did not even check the codes or use the
correct logic.
Fix Description: Cleanup dse_check_file to better check the
content of files and communicate issues to the admin. Correct
slapd_bootstrap_config to correctly handle the cases of removal
and restore.
https://pagure.io/389-ds-base/issue/49298
Author: wibrown
Review by: mreynoolds & spichugi
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
(cherry picked from commit 75e55e26579955adf058e8adcba9a28779583b7b)
---
.../suites/config/removed_config_49298_test.py | 81 ++++++++++++++++++++++
ldap/servers/slapd/config.c | 15 ++--
ldap/servers/slapd/dse.c | 42 ++++++++---
3 files changed, 119 insertions(+), 19 deletions(-)
create mode 100644 dirsrvtests/tests/suites/config/removed_config_49298_test.py
diff --git a/dirsrvtests/tests/suites/config/removed_config_49298_test.py b/dirsrvtests/tests/suites/config/removed_config_49298_test.py
new file mode 100644
index 000000000..e65236924
--- /dev/null
+++ b/dirsrvtests/tests/suites/config/removed_config_49298_test.py
@@ -0,0 +1,81 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2017 Red Hat, Inc.
+# All rights reserved.
+#
+# License: GPL (version 3 or any later version).
+# See LICENSE for details.
+# --- END COPYRIGHT BLOCK ---
+#
+import pytest
+import os
+import logging
+import subprocess
+
+from lib389.topologies import topology_st as topo
+
+DEBUGGING = os.getenv("DEBUGGING", default=False)
+if DEBUGGING:
+ logging.getLogger(__name__).setLevel(logging.DEBUG)
+else:
+ logging.getLogger(__name__).setLevel(logging.INFO)
+log = logging.getLogger(__name__)
+
+def test_restore_config(topo):
+ """
+ Check that if a dse.ldif and backup are removed, that the server still starts.
+
+ :id: e1c38fa7-30bc-46f2-a934-f8336f387581
+ :setup: Standalone instance
+ :steps:
+ 1. Stop the instance
+ 2. Delete 'dse.ldif'
+ 3. Start the instance
+ :expectedresults:
+ 1. Steps 1 and 2 succeed.
+ 2. Server will succeed to start with restored cfg.
+ """
+ topo.standalone.stop()
+
+ dse_path = topo.standalone.get_config_dir()
+
+ log.info(dse_path)
+
+ for i in ('dse.ldif', 'dse.ldif.startOK'):
+ p = os.path.join(dse_path, i)
+ os.remove(p)
+
+ # This will pass.
+ topo.standalone.start()
+
+def test_removed_config(topo):
+ """
+ Check that if a dse.ldif and backup are removed, that the server
+ exits better than "segfault".
+
+ :id: b45272d1-c197-473e-872f-07257fcb2ec0
+ :setup: Standalone instance
+ :steps:
+ 1. Stop the instance
+ 2. Delete 'dse.ldif', 'dse.ldif.bak', 'dse.ldif.startOK'
+ 3. Start the instance
+ :expectedresults:
+ 1. Steps 1 and 2 succeed.
+ 2. Server will fail to start, but will not crash.
+ """
+ topo.standalone.stop()
+
+ dse_path = topo.standalone.get_config_dir()
+
+ log.info(dse_path)
+
+ for i in ('dse.ldif', 'dse.ldif.bak', 'dse.ldif.startOK'):
+ p = os.path.join(dse_path, i)
+ os.remove(p)
+
+ # We actually can't check the log output, because it can't read dse.ldif,
+ # don't know where to write it yet! All we want is the server fail to
+ # start here, rather than infinite run + segfault.
+ with pytest.raises(subprocess.CalledProcessError):
+ topo.standalone.start()
+
+
diff --git a/ldap/servers/slapd/config.c b/ldap/servers/slapd/config.c
index afe07df84..c8d57e747 100644
--- a/ldap/servers/slapd/config.c
+++ b/ldap/servers/slapd/config.c
@@ -121,14 +121,13 @@ slapd_bootstrap_config(const char *configdir)
"Passed null config directory\n");
return rc; /* Fail */
}
- PR_snprintf(configfile, sizeof(configfile), "%s/%s", configdir,
- CONFIG_FILENAME);
- PR_snprintf(tmpfile, sizeof(tmpfile), "%s/%s.tmp", configdir,
- CONFIG_FILENAME);
- if ((rc = dse_check_file(configfile, tmpfile)) == 0) {
- PR_snprintf(tmpfile, sizeof(tmpfile), "%s/%s.bak", configdir,
- CONFIG_FILENAME);
- rc = dse_check_file(configfile, tmpfile);
+ PR_snprintf(configfile, sizeof(configfile), "%s/%s", configdir, CONFIG_FILENAME);
+ PR_snprintf(tmpfile, sizeof(tmpfile), "%s/%s.bak", configdir, CONFIG_FILENAME);
+ rc = dse_check_file(configfile, tmpfile);
+ if (rc == 0) {
+ /* EVERYTHING IS GOING WRONG, ARRGHHHHHH */
+ slapi_log_err(SLAPI_LOG_ERR, "slapd_bootstrap_config", "No valid configurations can be accessed! You must restore %s from backup!\n", configfile);
+ return 0;
}
if ((rc = PR_GetFileInfo64(configfile, &prfinfo)) != PR_SUCCESS) {
diff --git a/ldap/servers/slapd/dse.c b/ldap/servers/slapd/dse.c
index 420248c24..653009f53 100644
--- a/ldap/servers/slapd/dse.c
+++ b/ldap/servers/slapd/dse.c
@@ -609,29 +609,49 @@ dse_check_file(char *filename, char *backupname)
if (PR_GetFileInfo64(filename, &prfinfo) == PR_SUCCESS) {
if (prfinfo.size > 0) {
- return (1);
+ /* File exists and has content. */
+ return 1;
} else {
+ slapi_log_err(SLAPI_LOG_INFO, "dse_check_file",
+ "The config %s has zero length. Attempting restore ... \n", filename, rc);
rc = PR_Delete(filename);
}
+ } else {
+ slapi_log_err(SLAPI_LOG_INFO, "dse_check_file",
+ "The config %s can not be accessed. Attempting restore ... (reason: %d)\n", filename, rc);
}
if (backupname) {
+
+ if (PR_GetFileInfo64(backupname, &prfinfo) != PR_SUCCESS) {
+ slapi_log_err(SLAPI_LOG_INFO, "dse_check_file",
+ "The backup %s can not be accessed. Check it exists and permissions.\n", backupname);
+ return 0;
+ }
+
+ if (prfinfo.size <= 0) {
+ slapi_log_err(SLAPI_LOG_ERR, "dse_check_file",
+ "The backup file %s has zero length, refusing to restore it.\n", backupname);
+ return 0;
+ }
+
rc = PR_Rename(backupname, filename);
- } else {
- return (0);
- }
+ if (rc != PR_SUCCESS) {
+ slapi_log_err(SLAPI_LOG_INFO, "dse_check_file",
+ "The configuration file %s was NOT able to be restored from %s, error %d\n", filename, backupname, rc);
+ return 0;
+ }
- if (PR_GetFileInfo64(filename, &prfinfo) == PR_SUCCESS && prfinfo.size > 0) {
slapi_log_err(SLAPI_LOG_INFO, "dse_check_file",
- "The configuration file %s was restored from backup %s\n", filename, backupname);
- return (1);
+ "The configuration file %s was restored from backup %s\n", filename, backupname);
+ return 1;
+
} else {
- slapi_log_err(SLAPI_LOG_ERR, "dse_check_file",
- "The configuration file %s was not restored from backup %s, error %d\n",
- filename, backupname, rc);
- return (0);
+ slapi_log_err(SLAPI_LOG_INFO, "dse_check_file", "No backup filename provided.\n");
+ return 0;
}
}
+
static int
dse_read_one_file(struct dse *pdse, const char *filename, Slapi_PBlock *pb, int primary_file)
{
--
2.13.6

25
SOURCES/0039-Ticket-49231-Fix-backport-issue-part2.patch
View file

@ -1,25 +0,0 @@
From fe06dee8f346a8d8ded338bb5080c4cd3b230eef Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Fri, 5 May 2017 18:33:36 -0400
Subject: [PATCH] Ticket 49231 - Fix backport issue (part2)
---
ldap/servers/slapd/saslbind.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
index 8d23c52..75b83fe 100644
--- a/ldap/servers/slapd/saslbind.c
+++ b/ldap/servers/slapd/saslbind.c
@@ -773,7 +773,7 @@ char **ids_sasl_listmech(Slapi_PBlock *pb)
/* merge into result set */
dupstr = slapi_ch_strdup(str);
others = slapi_str2charray_ext(dupstr, ",", 0 /* don't list duplicate mechanisms */);
- charray_merge(&ret, others, 1);
+ charray_merge(&sup_ret, others, 1);
charray_free(others);
slapi_ch_free((void**)&dupstr);
}
--
2.9.3

99
SOURCES/0039-Ticket-49474-sasl-allow-mechs-does-not-operate-corre.patch Normal file
View file

@ -0,0 +1,99 @@
From bfaf5b56bb1a416c5e058a9925642098c87e0330 Mon Sep 17 00:00:00 2001
From: William Brown <firstyear@redhat.com>
Date: Thu, 30 Nov 2017 14:06:59 +0100
Subject: [PATCH] Ticket 49474 - sasl allow mechs does not operate correctly
Bug Description: In a fix to sasl allowed mechs, the logic
was not properly configured.
Fix Description: Alter the ids_sasl_supported_mech to be
clearer and simpler in it's design.
https://pagure.io/389-ds-base/issue/49474
Author: wibrown
Review by: tbordaz (Thank you!)
Cherry picked from f75cfbce07b79272a7f1a2e387dc232d45c169f5
---
ldap/servers/slapd/saslbind.c | 49 ++++++++-----------------------------------
1 file changed, 9 insertions(+), 40 deletions(-)
diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
index 6734c32a7..67da97148 100644
--- a/ldap/servers/slapd/saslbind.c
+++ b/ldap/servers/slapd/saslbind.c
@@ -835,52 +835,21 @@ ids_sasl_listmech(Slapi_PBlock *pb)
static int
ids_sasl_mech_supported(Slapi_PBlock *pb, const char *mech)
{
- int i, ret = 0;
- char **mechs;
- char **allowed_mechs = NULL;
- char *dupstr;
- const char *str;
- int sasl_result = 0;
- Connection *pb_conn = NULL;
-
- slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn);
- sasl_conn_t *sasl_conn = (sasl_conn_t *)pb_conn->c_sasl_conn;
slapi_log_err(SLAPI_LOG_TRACE, "ids_sasl_mech_supported", "=>\n");
- /* sasl_listmech is not thread-safe - caller must lock pb_conn */
- sasl_result = sasl_listmech(sasl_conn,
- NULL, /* username */
- "", ",", "",
- &str, NULL, NULL);
- if (sasl_result != SASL_OK) {
- return 0;
- }
-
- dupstr = slapi_ch_strdup(str);
- mechs = slapi_str2charray(dupstr, ",");
- allowed_mechs = config_get_allowed_sasl_mechs_array();
+ char **allowed_mechs = ids_sasl_listmech(pb);
- for (i = 0; mechs[i] != NULL; i++) {
- if (strcasecmp(mech, mechs[i]) == 0) {
- if (allowed_mechs) {
- if (charray_inlist(allowed_mechs, (char *)mech) == 0) {
- ret = 1;
- }
- break;
- } else {
- ret = 1;
- break;
- }
- }
+ /* 0 indicates "now allowed" */
+ int allowed_mech_present = 0;
+ if (allowed_mechs != NULL) {
+ /* Returns 1 if present and allowed. */
+ allowed_mech_present = charray_inlist(allowed_mechs, (char *)mech);
+ charray_free(allowed_mechs);
}
- charray_free(allowed_mechs);
- charray_free(mechs);
- slapi_ch_free((void **)&dupstr);
-
slapi_log_err(SLAPI_LOG_TRACE, "ids_sasl_mech_supported", "<=\n");
- return ret;
+ return allowed_mech_present;
}
/*
@@ -944,7 +913,7 @@ ids_sasl_check_bind(Slapi_PBlock *pb)
* different error code to SASL_NOMECH. Must be called
* while holding the pb_conn lock
*/
- if (!ids_sasl_mech_supported(pb, mech)) {
+ if (ids_sasl_mech_supported(pb, mech) == 0) {
rc = SASL_NOMECH;
goto sasl_check_result;
}
--
2.13.6

130
SOURCES/0040-Ticket-48681-logconv.pl-Fix-SASL-Bind-stats-and-rewo.patch
View file

@ -1,130 +0,0 @@
From e78c098543bbf64b03d1f3df98aa26184c435737 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Fri, 19 May 2017 11:18:20 -0400
Subject: [PATCH] Ticket 48681 - logconv.pl - Fix SASL Bind stats and rework
report format
Description: We were previously counting ANONYMOUS sasl bind mechanisms
as anonymous binds. The report was also changed to make the
binds stats clearer.
https://pagure.io/389-ds-base/issue/48681
Reviewed by: tbordaz(Thanks!)
(cherry picked from commit f913252541c90ab7f3d62d74818c43ad01ff5c4e)
---
ldap/admin/src/logconv.pl | 52 ++++++++++++++++++++++++++++++++++++-----------
1 file changed, 40 insertions(+), 12 deletions(-)
diff --git a/ldap/admin/src/logconv.pl b/ldap/admin/src/logconv.pl
index c30e175..4932db4 100755
--- a/ldap/admin/src/logconv.pl
+++ b/ldap/admin/src/logconv.pl
@@ -1099,23 +1099,23 @@ print "Max BER Size Exceeded: $maxBerSizeCount\n";
print "\n";
print "Binds: $bindCount\n";
print "Unbinds: $unbindCount\n";
+print "------------------------------";
+print "-" x length $bindCount;
+print "\n";
print " - LDAP v2 Binds: $v2BindCount\n";
print " - LDAP v3 Binds: $v3BindCount\n";
-print " - AUTOBINDs: $autobindCount\n";
+print " - AUTOBINDs(LDAPI): $autobindCount\n";
print " - SSL Client Binds: $sslClientBindCount\n";
print " - Failed SSL Client Binds: $sslClientFailedCount\n";
print " - SASL Binds: $saslBindCount\n";
if ($saslBindCount > 0){
my $saslmech = $hashes->{saslmech};
foreach my $saslb ( sort {$saslmech->{$b} <=> $saslmech->{$a} } (keys %{$saslmech}) ){
- printf " %-4s - %s\n",$saslb, $saslmech->{$saslb};
+ printf " - %-4s: %s\n",$saslb, $saslmech->{$saslb};
}
}
-
print " - Directory Manager Binds: $rootDNBindCount\n";
print " - Anonymous Binds: $anonymousBindCount\n";
-my $otherBindCount = $bindCount -($rootDNBindCount + $anonymousBindCount);
-print " - Other Binds: $otherBindCount\n\n";
##########################################################################
# Verbose Logging Section #
@@ -1195,9 +1195,9 @@ if ($usage =~ /e/i || $verb eq "yes"){
}
####################################
-# #
+# #
# Print Failed Logins #
-# #
+# #
####################################
if ($verb eq "yes" || $usage =~ /f/ ){
@@ -2117,7 +2117,7 @@ sub parseLineNormal
($connID) = $_ =~ /conn=(\d*)\s/;
handleConnClose($connID);
}
- if (m/ BIND/ && $_ =~ /dn=\"(.*)\" method=128/i ){
+ if (m/ BIND / && $_ =~ /dn=\"(.*)\" method=128/i ){
my $binddn = $1;
if($reportStats){ inc_stats('bind',$s_stats,$m_stats); }
$bindCount++;
@@ -2531,21 +2531,49 @@ sub parseLineNormal
}
}
}
- if (/ BIND / && /method=sasl/i){
+ if (/ BIND / && $_ =~ /dn=\"(.*)\" method=sasl/i){
+ my $binddn = $1;
+ my ($conn, $op);
$saslBindCount++;
$bindCount++;
if ($_ =~ /mech=(.*)/i ){
my $mech = $1;
$hashes->{saslmech}->{$mech}++;
- my ($conn, $op);
if ($_ =~ /conn= *([0-9A-Z]+) +op= *([0-9\-]+)/i){
$conn = $1;
$op = $2;
$hashes->{saslconnop}->{$conn-$op} = $mech;
}
}
- if (/ mech=ANONYMOUS/){
- $anonymousBindCount++;
+ if ($binddn ne ""){
+ if($binddn eq $rootDN){ $rootDNBindCount++; }
+ if($usage =~ /f/ || $usage =~ /u/ || $usage =~ /U/ || $usage =~ /b/ || $verb eq "yes"){
+ $tmpp = $binddn;
+ $tmpp =~ tr/A-Z/a-z/;
+ $hashes->{bindlist}->{$tmpp}++;
+ $hashes->{bind_conn_op}->{"$serverRestartCount,$conn,$op"} = $tmpp;
+ }
+ }
+ }
+ if (/ RESULT err=/ && / tag=97 nentries=0 etime=/ && $_ =~ /dn=\"(.*)\"/i){
+ # Check if this is a sasl bind, if see we need to add the RESULT's dn as a bind dn
+ my $binddn = $1;
+ my ($conn, $op);
+ if ($_ =~ /conn= *([0-9A-Z]+) +op= *([0-9\-]+)/i){
+ $conn = $1;
+ $op = $2;
+ if ($hashes->{saslconnop}->{$conn-$op} ne ""){
+ # This was a SASL BIND - record the dn
+ if ($binddn ne ""){
+ if($binddn eq $rootDN){ $rootDNBindCount++; }
+ if($usage =~ /f/ || $usage =~ /u/ || $usage =~ /U/ || $usage =~ /b/ || $verb eq "yes"){
+ $tmpp = $binddn;
+ $tmpp =~ tr/A-Z/a-z/;
+ $hashes->{bindlist}->{$tmpp}++;
+ $hashes->{bind_conn_op}->{"$serverRestartCount,$conn,$op"} = $tmpp;
+ }
+ }
+ }
}
}
if (/ RESULT err=14 tag=97 / && / SASL bind in progress/){
--
2.9.4

78
SOURCES/0040-Ticket-49470-overflow-in-pblock_get.patch Normal file
View file

@ -0,0 +1,78 @@
From 30fa0e4c993d4a91a90327329b50f02e637fe049 Mon Sep 17 00:00:00 2001
From: William Brown <firstyear@redhat.com>
Date: Tue, 28 Nov 2017 15:31:25 +0100
Subject: [PATCH] Ticket 49470 - overflow in pblock_get
Bug Description: While getting the connection id we used an int
not a uint64_t
Fix Description: Make the stack size uint64_t instead.
https://pagure.io/389-ds-base/issue/49470
Author: wibrown
Review by: tbordaz
---
ldap/servers/slapd/modify.c | 5 +++--
ldap/servers/slapd/pblock.c | 4 ++--
ldap/servers/slapd/slap.h | 2 +-
3 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
index 6309975ae..0dcac646b 100644
--- a/ldap/servers/slapd/modify.c
+++ b/ldap/servers/slapd/modify.c
@@ -281,11 +281,12 @@ do_modify(Slapi_PBlock *pb)
if (ignored_some_mods && (0 == smods.num_elements)) {
if (pb_conn->c_isreplication_session) {
- int connid, opid;
+ uint64_t connid;
+ int32_t opid;
slapi_pblock_get(pb, SLAPI_CONN_ID, &connid);
slapi_pblock_get(pb, SLAPI_OPERATION_ID, &opid);
slapi_log_err(SLAPI_LOG_ERR, "do_modify",
- "Rejecting replicated password policy operation(conn=%d op=%d) for "
+ "Rejecting replicated password policy operation(conn=%"PRIu64" op=%d) for "
"entry %s. To allow these changes to be accepted, set passwordIsGlobalPolicy to 'on' in "
"cn=config.\n",
connid, opid, rawdn);
diff --git a/ldap/servers/slapd/pblock.c b/ldap/servers/slapd/pblock.c
index 8f87de5b5..4514c3ce6 100644
--- a/ldap/servers/slapd/pblock.c
+++ b/ldap/servers/slapd/pblock.c
@@ -412,7 +412,7 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
"slapi_pblock_get", "Connection is NULL and hence cannot access SLAPI_CONN_ID \n");
return (-1);
}
- (*(PRUint64 *)value) = pblock->pb_conn->c_connid;
+ (*(uint64_t *)value) = pblock->pb_conn->c_connid;
break;
case SLAPI_CONN_DN:
/*
@@ -2538,7 +2538,7 @@ slapi_pblock_set(Slapi_PBlock *pblock, int arg, void *value)
"slapi_pblock_set", "Connection is NULL and hence cannot access SLAPI_CONN_ID \n");
return (-1);
}
- pblock->pb_conn->c_connid = *((PRUint64 *)value);
+ pblock->pb_conn->c_connid = *((uint64_t *)value);
break;
case SLAPI_CONN_DN:
/*
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index 44632580a..830944f72 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -1604,7 +1604,7 @@ typedef struct conn
int c_gettingber; /* in the middle of ber_get_next */
BerElement *c_currentber; /* ber we're getting */
time_t c_starttime; /* when the connection was opened */
- PRUint64 c_connid; /* id of this connection for stats*/
+ uint64_t c_connid; /* id of this connection for stats*/
PRUint64 c_maxthreadscount; /* # of times a conn hit max threads */
PRUint64 c_maxthreadsblocked; /* # of operations blocked by maxthreads */
int c_opsinitiated; /* # ops initiated/next op id */
--
2.13.6

83
SOURCES/0041-Ticket-49157-ds-logpipe.py-crashes-for-non-existing-.patch
View file

@ -1,83 +0,0 @@
From a842e43becb9312574071b1460bfa835bfecc47b Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 8 May 2017 14:12:53 -0400
Subject: [PATCH] Ticket 49157 - ds-logpipe.py crashes for non-existing users
Description: Remove all "raises", and gracefully exit with a message
https://pagure.io/389-ds-base/issue/49157
Reviewed by: firstyear(Thanks!)
(cherry picked from commit 94ebab36770465a50e3f61590f0f1adec2cc9224)
---
ldap/admin/src/scripts/ds-logpipe.py | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/ldap/admin/src/scripts/ds-logpipe.py b/ldap/admin/src/scripts/ds-logpipe.py
index dc1856a..13712ea 100644
--- a/ldap/admin/src/scripts/ds-logpipe.py
+++ b/ldap/admin/src/scripts/ds-logpipe.py
@@ -146,7 +146,8 @@ def open_pipe(logfname):
if e.errno == errno.EINTR:
continue # open was interrupted, try again
else: # hard error
- raise Exception("%s [%d]" % (e.strerror, e.errno))
+ print("%s [%d]" % (e.strerror, e.errno))
+ sys.exit(1)
return logf
def is_proc_alive(procpid):
@@ -156,7 +157,8 @@ def is_proc_alive(procpid):
except IOError as e:
if e.errno != errno.ENOENT: # may not exist yet - that's ok
# otherwise, probably permissions or other badness
- raise Exception("could not open file %s - %s [%d]" % (procfile, e.strerror, e.errno))
+ print("could not open file %s - %s [%d]" % (procfile, e.strerror, e.errno))
+ sys.exit(1)
# using /proc/pid failed, try kill
if not retval:
try:
@@ -177,7 +179,8 @@ def get_pid_from_file(pidfile):
except IOError as e:
if e.errno != errno.ENOENT: # may not exist yet - that's ok
# otherwise, probably permissions or other badness
- raise Exception("Could not read pid from file %s - %s [%d]" % (pidfile, e.strerror, e.errno))
+ print("Could not read pid from file %s - %s [%d]" % (pidfile, e.strerror, e.errno))
+ sys.exit(1)
if line:
procpid = int(line)
return procpid
@@ -188,7 +191,8 @@ def write_pid_file(pidfile):
pfd.write("%d\n" % os.getpid())
pfd.close()
except IOError as e:
- raise Exception("Could not write pid to file %s - %s [%d]" % (pidfile, e.strerror, e.errno))
+ print("Could not write pid to file %s - %s [%d]" % (pidfile, e.strerror, e.errno))
+ sys.exit(1)
def handle_script_pidfile(scriptpidfile):
scriptpid = get_pid_from_file(scriptpidfile)
@@ -216,7 +220,8 @@ def read_and_process_line(logf, plgfuncs):
if e.errno == errno.EINTR:
continue # read was interrupted, try again
else: # hard error
- raise Exception("%s [%d]" % (e.strerror, e.errno))
+ print("%s [%d]" % (e.strerror, e.errno))
+ sys.exit(1)
if line: # read something
for plgfunc in plgfuncs:
if not plgfunc(line):
@@ -312,7 +317,8 @@ except OSError as e:
print("Failed to create log pipe: " + str(e))
sys.exit(1)
else:
- raise Exception("%s [%d]" % (e.strerror, e.errno))
+ print("Failed to create log pipe - %s [error %d]" % (e.strerror, e.errno))
+ sys.ext(1)
if debug:
print("Listening to log pipe", logfname, "number of lines", maxlines)
--
2.9.4

84
SOURCES/0090-Ticket-49471-heap-buffer-overflow-in-ss_unescape.patch → SOURCES/0041-Ticket-49471-heap-buffer-overflow-in-ss_unescape.patch
View file

@ -1,4 +1,4 @@
From 715bdd7fd707d4addf52c21051ec3ab90951a691 Mon Sep 17 00:00:00 2001
From 25844922007eea26f78d18171e51be3aa7b5e949 Mon Sep 17 00:00:00 2001
From: Thierry Bordaz <tbordaz@redhat.com>
Date: Wed, 6 Dec 2017 15:14:57 +0100
Subject: [PATCH] Ticket 49471 - heap-buffer-overflow in ss_unescape
@ -26,11 +26,10 @@ Flag Day: no
Doc impact: no
(cherry picked from commit 5991388ce75fba8885579b769711d57acfd43cd3)
(cherry picked from commit 3fb1c408cb4065de8d9c0c1de050d08969d51bb0)
---
dirsrvtests/tests/tickets/ticket49471_test.py | 79 +++++++++++++++++++++++++++
ldap/servers/plugins/collation/orfilter.c | 48 +++++++++-------
2 files changed, 106 insertions(+), 21 deletions(-)
ldap/servers/plugins/collation/orfilter.c | 14 +++--
2 files changed, 87 insertions(+), 6 deletions(-)
create mode 100644 dirsrvtests/tests/tickets/ticket49471_test.py
diff --git a/dirsrvtests/tests/tickets/ticket49471_test.py b/dirsrvtests/tests/tickets/ticket49471_test.py
@ -119,71 +118,44 @@ index 000000000..0456a5182
+ pytest.main("-s %s" % CURRENT_FILE)
+
diff --git a/ldap/servers/plugins/collation/orfilter.c b/ldap/servers/plugins/collation/orfilter.c
index 8f10f81b6..438efafef 100644
index 5a2d8a0ab..a98d90219 100644
--- a/ldap/servers/plugins/collation/orfilter.c
+++ b/ldap/servers/plugins/collation/orfilter.c
@@ -317,19 +317,21 @@ ss_unescape (struct berval* val)
char* t = s;
char* limit = s + val->bv_len;
@@ -313,12 +313,12 @@ ss_unescape(struct berval *val)
char *t = s;
char *limit = s + val->bv_len;
while (s < limit) {
- if (!memcmp (s, "\\2a", 3) ||
- !memcmp (s, "\\2A", 3)) {
- *t++ = WILDCARD;
- s += 3;
- } else if (!memcmp (s, "\\5c", 3) ||
- !memcmp (s, "\\5C", 3)) {
- *t++ = '\\';
- s += 3;
- } else {
- if (t == s) LDAP_UTF8INC (t);
- else t += LDAP_UTF8COPY (t, s);
- LDAP_UTF8INC (s);
- }
- if (!memcmp(s, "\\2a", 3) ||
- !memcmp(s, "\\2A", 3)) {
+ if (((limit - s) >= 3) &&
+ (!memcmp(s, "\\2a", 3) || !memcmp(s, "\\2A", 3))) {
+ *t++ = WILDCARD;
+ s += 3;
*t++ = WILDCARD;
s += 3;
- } else if (!memcmp(s, "\\5c", 3) ||
- !memcmp(s, "\\5C", 3)) {
+ } else if ((limit - s) >= 3 &&
+ (!memcmp(s, "\\5c", 3) || !memcmp(s, "\\5C", 3))) {
+ *t++ = '\\';
+ s += 3;
+ } else {
+ if (t == s)
+ LDAP_UTF8INC(t);
+ else
+ t += LDAP_UTF8COPY(t, s);
+ LDAP_UTF8INC(s);
+ }
}
val->bv_len = t - val->bv_val;
}
@@ -405,14 +407,18 @@ ss_filter_values (struct berval* pattern, int* query_op)
n = 0;
s = pattern->bv_val;
for (p = s; p < plimit; LDAP_UTF8INC(p)) {
- switch (*p) {
- case WILDCARD:
- result[n++] = ss_filter_value (s, p-s, &val);
- while (++p != plimit && *p == WILDCARD);
- s = p;
- break;
- default: break;
- }
+ switch (*p) {
+ case WILDCARD:
+ result[n++] = ss_filter_value(s, p - s, &val);
*t++ = '\\';
s += 3;
} else {
@@ -409,13 +409,15 @@ ss_filter_values(struct berval *pattern, int *query_op)
switch (*p) {
case WILDCARD:
result[n++] = ss_filter_value(s, p - s, &val);
- while (++p != plimit && *p == WILDCARD)
- ;
+ while (p != plimit && *p == WILDCARD) p++;
+ s = p;
+ break;
+ default:
+ break;
+ }
s = p;
break;
default:
break;
}
+ if (p >= plimit) {
+ break;
+ }
}
if (p != s || s == plimit) {
result[n++] = ss_filter_value (s, p-s, &val);
result[n++] = ss_filter_value(s, p - s, &val);
--
2.13.6

202
SOURCES/0042-Ticket-49249-cos_cache-is-erroneously-logging-schema.patch
View file

@ -1,202 +0,0 @@
From 834b5f7355d4233c4b9d6931ba6ec8482413bca8 Mon Sep 17 00:00:00 2001
From: Thierry Bordaz <tbordaz@redhat.com>
Date: Thu, 11 May 2017 09:21:38 +0200
Subject: [PATCH] Ticket 49249 - cos_cache is erroneously logging schema
checking failure
Bug Description:
cos is generating virtual attributes in several steps.
One of the first step is to check that the generated attribute will
conform the schema.
Then additional checks (override/merge and cos scope) are performed.
If the entry does not conform the schema, it skips the additional checks.
In such case it logs a message stating that the virtual attribute does not
apply.
During slapi-log-err refactoring (https://pagure.io/389-ds-base/issue/48978)
the logging level, in case of schema violation, was move from SLAPI_LOG_PLUGIN
to SLAPI_LOG_ERR.
This change is incorrect because the potential failure to schema check is
normal and does not imply the cos would apply to the entry (for example if
the entry was not in the scope, the cos would also be skipped).
Fix Description:
Move back the logging level from SLAPI_LOG_ERR to SLAPI_LOG_PLUGIN
https://pagure.io/389-ds-base/issue/49249
Reviewed by: Mark Reynolds
Platforms tested: F23
Flag Day: no
Doc impact: no
---
dirsrvtests/tests/tickets/ticket49249_test.py | 140 ++++++++++++++++++++++++++
ldap/servers/plugins/cos/cos_cache.c | 2 +-
2 files changed, 141 insertions(+), 1 deletion(-)
create mode 100644 dirsrvtests/tests/tickets/ticket49249_test.py
diff --git a/dirsrvtests/tests/tickets/ticket49249_test.py b/dirsrvtests/tests/tickets/ticket49249_test.py
new file mode 100644
index 0000000..1dfd07e
--- /dev/null
+++ b/dirsrvtests/tests/tickets/ticket49249_test.py
@@ -0,0 +1,140 @@
+import time
+import ldap
+import logging
+import pytest
+from lib389 import DirSrv, Entry, tools, tasks
+from lib389.tools import DirSrvTools
+from lib389._constants import *
+from lib389.properties import *
+from lib389.tasks import *
+from lib389.utils import *
+from lib389.topologies import topology_st as topo
+
+DEBUGGING = os.getenv("DEBUGGING", default=False)
+if DEBUGGING:
+ logging.getLogger(__name__).setLevel(logging.DEBUG)
+else:
+ logging.getLogger(__name__).setLevel(logging.INFO)
+log = logging.getLogger(__name__)
+
+COS_BRANCH = 'ou=cos_scope,' + DEFAULT_SUFFIX
+COS_DEF = 'cn=cos_definition,' + COS_BRANCH
+COS_TEMPLATE = 'cn=cos_template,' + COS_BRANCH
+INVALID_USER_WITH_COS = 'cn=cos_user_no_mail,' + COS_BRANCH
+VALID_USER_WITH_COS = 'cn=cos_user_with_mail,' + COS_BRANCH
+
+NO_COS_BRANCH = 'ou=no_cos_scope,' + DEFAULT_SUFFIX
+INVALID_USER_WITHOUT_COS = 'cn=no_cos_user_no_mail,' + NO_COS_BRANCH
+VALID_USER_WITHOUT_COS = 'cn=no_cos_user_with_mail,' + NO_COS_BRANCH
+
+def test_ticket49249(topo):
+ """Write your testcase here...
+
+ Also, if you need any testcase initialization,
+ please, write additional fixture for that(include finalizer).
+ """
+ # Add the branches
+ try:
+ topo.standalone.add_s(Entry((COS_BRANCH, {
+ 'objectclass': 'top extensibleObject'.split(),
+ 'ou': 'cos_scope'
+ })))
+ except ldap.LDAPError as e:
+ log.error('Failed to add cos_scope: error ' + e.message['desc'])
+ assert False
+
+ try:
+ topo.standalone.add_s(Entry((NO_COS_BRANCH, {
+ 'objectclass': 'top extensibleObject'.split(),
+ 'ou': 'no_cos_scope'
+ })))
+ except ldap.LDAPError as e:
+ log.error('Failed to add no_cos_scope: error ' + e.message['desc'])
+ assert False
+
+ try:
+ topo.standalone.add_s(Entry((COS_TEMPLATE, {
+ 'objectclass': 'top ldapsubentry costemplate extensibleObject'.split(),
+ 'cn': 'cos_template',
+ 'cosPriority': '1',
+ 'cn': 'cn=nsPwTemplateEntry,ou=level1,dc=example,dc=com',
+ 'mailAlternateAddress': 'hello@world'
+ })))
+ except ldap.LDAPError as e:
+ log.error('Failed to add cos_template: error ' + e.message['desc'])
+ assert False
+
+ try:
+ topo.standalone.add_s(Entry((COS_DEF, {
+ 'objectclass': 'top ldapsubentry cosSuperDefinition cosPointerDefinition'.split(),
+ 'cn': 'cos_definition',
+ 'costemplatedn': COS_TEMPLATE,
+ 'cosAttribute': 'mailAlternateAddress default'
+ })))
+ except ldap.LDAPError as e:
+ log.error('Failed to add cos_definition: error ' + e.message['desc'])
+ assert False
+
+ try:
+ # This entry is not allowed to have mailAlternateAddress
+ topo.standalone.add_s(Entry((INVALID_USER_WITH_COS, {
+ 'objectclass': 'top person'.split(),
+ 'cn': 'cos_user_no_mail',
+ 'sn': 'cos_user_no_mail'
+ })))
+ except ldap.LDAPError as e:
+ log.error('Failed to add cos_user_no_mail: error ' + e.message['desc'])
+ assert False
+
+ try:
+ # This entry is allowed to have mailAlternateAddress
+ topo.standalone.add_s(Entry((VALID_USER_WITH_COS, {
+ 'objectclass': 'top mailGroup'.split(),
+ 'cn': 'cos_user_with_mail'
+ })))
+ except ldap.LDAPError as e:
+ log.error('Failed to add cos_user_no_mail: error ' + e.message['desc'])
+ assert False
+
+ try:
+ # This entry is not allowed to have mailAlternateAddress
+ topo.standalone.add_s(Entry((INVALID_USER_WITHOUT_COS, {
+ 'objectclass': 'top person'.split(),
+ 'cn': 'no_cos_user_no_mail',
+ 'sn': 'no_cos_user_no_mail'
+ })))
+ except ldap.LDAPError as e:
+ log.error('Failed to add no_cos_user_no_mail: error ' + e.message['desc'])
+ assert False
+
+ try:
+ # This entry is allowed to have mailAlternateAddress
+ topo.standalone.add_s(Entry((VALID_USER_WITHOUT_COS, {
+ 'objectclass': 'top mailGroup'.split(),
+ 'cn': 'no_cos_user_with_mail'
+ })))
+ except ldap.LDAPError as e:
+ log.error('Failed to add no_cos_user_with_mail: error ' + e.message['desc'])
+ assert False
+
+ try:
+ entries = topo.standalone.search_s(SUFFIX, ldap.SCOPE_SUBTREE, '(mailAlternateAddress=*)')
+ assert len(entries) == 1
+ assert entries[0].hasValue('mailAlternateAddress', 'hello@world')
+ except ldap.LDAPError as e:
+ log.fatal('Unable to retrieve cos_user_with_mail (only entry with mailAlternateAddress) : error %s' % (USER1_DN, e.message['desc']))
+ assert False
+
+ assert not topo.standalone.ds_error_log.match(".*cos attribute mailAlternateAddress failed schema.*")
+
+ if DEBUGGING:
+ # Add debugging steps(if any)...
+ pass
+
+
+if __name__ == '__main__':
+ # Run isolated
+ # -s for DEBUG mode
+ CURRENT_FILE = os.path.realpath(__file__)
+ pytest.main("-s %s" % CURRENT_FILE)
+
diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c
index 8942254..66c6c7f 100644
--- a/ldap/servers/plugins/cos/cos_cache.c
+++ b/ldap/servers/plugins/cos/cos_cache.c
@@ -2362,7 +2362,7 @@ static int cos_cache_query_attr(cos_cache *ptheCache, vattr_context *context,
if(!cos_cache_schema_check(pCache, attr_index, pObjclasses))
{
- slapi_log_err(SLAPI_LOG_ERR, COS_PLUGIN_SUBSYSTEM, "cos_cache_query_attr - cos attribute %s failed schema check on dn: %s\n",type,pDn);
+ slapi_log_err(SLAPI_LOG_PLUGIN, COS_PLUGIN_SUBSYSTEM, "cos_cache_query_attr - cos attribute %s failed schema check on dn: %s\n",type,pDn);
goto bail;
}
}
--
2.9.4

34
SOURCES/0042-Ticket-49298-fix-complier-warn.patch Normal file
View file

@ -0,0 +1,34 @@
From 189c3ce4d5b5c9341a60d4056dad26133d9607ca Mon Sep 17 00:00:00 2001
From: William Brown <firstyear@redhat.com>
Date: Fri, 17 Nov 2017 11:43:36 +1000
Subject: [PATCH] Ticket 49298 - fix complier warn
Bug Description: Extra argument to error log in dse.c
Fix Description: Remove extra argument.
https://pagure.io/389-ds-base/issue/49298
Author: wibrown
Review by: oneline rule.
---
ldap/servers/slapd/dse.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ldap/servers/slapd/dse.c b/ldap/servers/slapd/dse.c
index 653009f53..662e91aa7 100644
--- a/ldap/servers/slapd/dse.c
+++ b/ldap/servers/slapd/dse.c
@@ -613,7 +613,7 @@ dse_check_file(char *filename, char *backupname)
return 1;
} else {
slapi_log_err(SLAPI_LOG_INFO, "dse_check_file",
- "The config %s has zero length. Attempting restore ... \n", filename, rc);
+ "The config %s has zero length. Attempting restore ... \n", filename);
rc = PR_Delete(filename);
}
} else {
--
2.13.6

243
SOURCES/0043-Ticket-49238-AddressSanitizer-heap-use-after-free-in.patch
View file

@ -1,243 +0,0 @@
From 4182dd8bbff22f9e0e45b763a4619c0bc8dcb153 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 9 May 2017 12:31:58 -0400
Subject: [PATCH] Ticket 49238 - AddressSanitizer: heap-use-after-free in
libreplication
Bug Description:
The bug is detected in csn pending list component, when
accessing a csn that has already been freed.
The bug is mostly detectable under ASAN because under normal run
the read access to the csn would only crash if the csn was in
an unmapped page (that is quite difficult to acheive).
The bug was observed under the following conditions:
- very slow machine
- all instances running on the same machine
The patch address 2 issues
Issue - 1
Under specfic circumstance (failure, like "db_deadlock" during changelog update),
the csn was freed but still present in the pending list (fix-1).
Issue - 2
Further investigations, showed an other corner case where a
replica could be updated by several suppliers in parallel.
In such scenario, an update (on one thread-2) with a higher csn (let csn-2)
may be applied before an update (on another thread-1) with a smaller
csn (let csn-1).
csn-2 is freed when thread-2 complete but the csn-2 will remain
in the pending list until csn-1 is commited.
so followup of pending list may access a csn that was freed
Fix Description:
Issue - 1
The fix in repl5_plugins.c, frees the csn (thread private area)
at the condition pending list was roll up for that csn (ruv update).
Issue - 2
The fix is in two parts:
If a supplier tries to acquire a replica while it is
already owner of it, the replica is granted.
If a supplier owns a replica and is asking again for it,
but this time the replica is not granted, the replica is release and
the supplier disconnected.
https://pagure.io/389-ds-base/issue/49238
Reviewed by: Mark Reynolds, Ludwig Krispenz, William Brown (thanks to you all !!)
Platforms tested: 7.4
Flag Day: no
Doc impact: no
---
ldap/servers/plugins/replication/repl5.h | 1 +
ldap/servers/plugins/replication/repl5_plugins.c | 7 +++-
ldap/servers/plugins/replication/repl5_replica.c | 49 +++++++++++++++++++-----
ldap/servers/plugins/replication/repl_extop.c | 42 ++++++++++++++++++--
4 files changed, 86 insertions(+), 13 deletions(-)
diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h
index c3bd10c..1d8989c 100644
--- a/ldap/servers/plugins/replication/repl5.h
+++ b/ldap/servers/plugins/replication/repl5.h
@@ -549,6 +549,7 @@ void replica_relinquish_exclusive_access(Replica *r, PRUint64 connid, int opid);
PRBool replica_get_tombstone_reap_active(const Replica *r);
const Slapi_DN *replica_get_root(const Replica *r);
const char *replica_get_name(const Replica *r);
+uint64_t replica_get_locking_conn(const Replica *r);
ReplicaId replica_get_rid (const Replica *r);
void replica_set_rid (Replica *r, ReplicaId rid);
PRBool replica_is_initialized (const Replica *r);
diff --git a/ldap/servers/plugins/replication/repl5_plugins.c b/ldap/servers/plugins/replication/repl5_plugins.c
index ebcc230..9ef06af 100644
--- a/ldap/servers/plugins/replication/repl5_plugins.c
+++ b/ldap/servers/plugins/replication/repl5_plugins.c
@@ -1224,7 +1224,12 @@ common_return:
opcsn = operation_get_csn(op);
prim_csn = get_thread_primary_csn();
if (csn_is_equal(opcsn, prim_csn)) {
- set_thread_primary_csn(NULL);
+ if (return_value == 0) {
+ /* the primary csn was succesfully committed
+ * unset it in the thread local data
+ */
+ set_thread_primary_csn(NULL);
+ }
}
if (repl_obj) {
object_release (repl_obj);
diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c
index a106f8b..1bdc138 100644
--- a/ldap/servers/plugins/replication/repl5_replica.c
+++ b/ldap/servers/plugins/replication/repl5_replica.c
@@ -64,6 +64,7 @@ struct replica {
PRBool state_update_inprogress; /* replica state is being updated */
PRLock *agmt_lock; /* protects agreement creation, start and stop */
char *locking_purl; /* supplier who has exclusive access */
+ uint64_t locking_conn; /* The supplier's connection id */
Slapi_Counter *protocol_timeout;/* protocol shutdown timeout */
Slapi_Counter *backoff_min; /* backoff retry minimum */
Slapi_Counter *backoff_max; /* backoff retry maximum */
@@ -602,19 +603,32 @@ replica_get_exclusive_access(Replica *r, PRBool *isInc, PRUint64 connid, int opi
slapi_sdn_get_dn(r->repl_root),
r->locking_purl ? r->locking_purl : "unknown");
rval = PR_FALSE;
+ if (!(r->repl_state_flags & REPLICA_TOTAL_IN_PROGRESS)) {
+ /* inc update */
+ if (r->locking_purl && r->locking_conn == connid) {
+ /* This is the same supplier connection, reset the replica
+ * purl, and return success */
+ slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name,
+ "replica_get_exclusive_access - "
+ "This is a second acquire attempt from the same replica connection "
+ " - return success instead of busy\n");
+ slapi_ch_free_string(&r->locking_purl);
+ r->locking_purl = slapi_ch_strdup(locking_purl);
+ rval = PR_TRUE;
+ goto done;
+ }
+ if (replica_get_release_timeout(r)) {
+ /*
+ * Abort the current session so other replicas can acquire
+ * this server.
+ */
+ r->abort_session = ABORT_SESSION;
+ }
+ }
if (current_purl)
{
*current_purl = slapi_ch_strdup(r->locking_purl);
}
- if (!(r->repl_state_flags & REPLICA_TOTAL_IN_PROGRESS) &&
- replica_get_release_timeout(r))
- {
- /*
- * We are not doing a total update, so abort the current session
- * so other replicas can acquire this server.
- */
- r->abort_session = ABORT_SESSION;
- }
}
else
{
@@ -642,7 +656,9 @@ replica_get_exclusive_access(Replica *r, PRBool *isInc, PRUint64 connid, int opi
}
slapi_ch_free_string(&r->locking_purl);
r->locking_purl = slapi_ch_strdup(locking_purl);
+ r->locking_conn = connid;
}
+done:
replica_unlock(r->repl_lock);
return rval;
}
@@ -720,6 +736,18 @@ replica_get_name(const Replica *r) /* ONREPL - should we return copy instead? */
return(r->repl_name);
}
+/*
+ * Returns locking_conn of this replica
+ */
+uint64_t
+replica_get_locking_conn(const Replica *r)
+{
+ uint64_t connid;
+ replica_lock(r->repl_lock);
+ connid = r->locking_conn;
+ replica_unlock(r->repl_lock);
+ return connid;
+}
/*
* Returns replicaid of this replica
*/
@@ -2251,6 +2279,9 @@ _replica_init_from_config (Replica *r, Slapi_Entry *e, char *errortext)
}
r->tombstone_reap_stop = r->tombstone_reap_active = PR_FALSE;
+
+ /* No supplier holding the replica */
+ r->locking_conn = ULONG_MAX;
return (_replica_check_validity (r));
}
diff --git a/ldap/servers/plugins/replication/repl_extop.c b/ldap/servers/plugins/replication/repl_extop.c
index 412caec..a39d918 100644
--- a/ldap/servers/plugins/replication/repl_extop.c
+++ b/ldap/servers/plugins/replication/repl_extop.c
@@ -1138,9 +1138,45 @@ send_response:
*/
if (NULL != connext && NULL != connext->replica_acquired)
{
- Object *r_obj = (Object*)connext->replica_acquired;
- replica_relinquish_exclusive_access((Replica*)object_get_data (r_obj),
- connid, opid);
+ Replica *r = (Replica*)object_get_data ((Object*)connext->replica_acquired);
+ uint64_t r_locking_conn;
+
+ /* At this point the supplier runs a Replica Agreement for
+ * the specific replica connext->replica_acquired.
+ * The RA does not know it holds the replica (because it is
+ * sending this request).
+ * The situation is confused
+ */
+ slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, "multimaster_extop_StartNSDS50ReplicationRequest - "
+ "already acquired replica: replica not ready (%d) (replica=%s)\n", response, replica_get_name(r) ? replica_get_name(r) : "no name");
+
+ /*
+ * On consumer side, we release the exclusive access at the
+ * condition this is this RA that holds the replica
+ */
+ if (r) {
+
+ r_locking_conn = replica_get_locking_conn(r);
+ slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, "multimaster_extop_StartNSDS50ReplicationRequest - "
+ "already acquired replica: locking_conn=%d, current connid=%d\n", (int) r_locking_conn, (int) connid);
+
+ if ((r_locking_conn != ULONG_MAX) && (r_locking_conn == connid)) {
+ replica_relinquish_exclusive_access(r, connid, opid);
+ object_release((Object*) connext->replica_acquired);
+ connext->replica_acquired = NULL;
+ }
+ }
+ /*
+ * On consumer side we should not keep a incoming connection
+ * with replica_acquired set although the supplier is not aware of
+ *
+ * On the supplier, we need to close the connection so
+ * that the RA will restart a new session in a clear state
+ */
+ slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, "multimaster_extop_StartNSDS50ReplicationRequest - "
+ "already acquired replica: disconnect conn=%d\n", connid);
+ slapi_disconnect_server(conn);
+
}
/* Remove any flags that would indicate repl session in progress */
if (NULL != connext)
--
2.9.4

153
SOURCES/0043-Ticket-49495-Fix-memory-management-is-vattr.patch Normal file
View file

@ -0,0 +1,153 @@
From 2c56e7dc08a41fc1dfa6a79213e93686f553847c Mon Sep 17 00:00:00 2001
From: William Brown <firstyear@redhat.com>
Date: Mon, 11 Dec 2017 15:48:24 +0100
Subject: [PATCH] Ticket 49495 - Fix memory management is vattr.
Bug Description: During the fix for
https://pagure.io/389-ds-base/issue/49436 a issue was exposed
in how registration of attributes to cos work. With the change
to handle -> attr link, this exposed that cos treats each attribute
and template pair as a new type for the handle. As aresult, this
caused the sp_list to create a long linked list of M*N entries
for each attr - template value. Obviously, this is extremely
slow to traverse during a search!
Fix Description: Undo part of the SLL next change and convert
to reference counting. The issue remains that there is a defect
in how cos handles attribute registration, but this can not be
resolved without a significant rearchitecture of the code
related to virtual attributes.
https://pagure.io/389-ds-base/issue/49495
Author: wibrown
Review by: tbordaz, lkrispen (Thanks!)
---
ldap/servers/plugins/cos/cos_cache.c | 28 +++++++++++-----------------
ldap/servers/slapd/vattr.c | 23 +++++++++++++++++++++--
2 files changed, 32 insertions(+), 19 deletions(-)
diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c
index 662dace35..3b3c05783 100644
--- a/ldap/servers/plugins/cos/cos_cache.c
+++ b/ldap/servers/plugins/cos/cos_cache.c
@@ -275,7 +275,7 @@ static Slapi_Mutex *start_lock;
static Slapi_Mutex *stop_lock;
static Slapi_CondVar *something_changed = NULL;
static Slapi_CondVar *start_cond = NULL;
-
+static vattr_sp_handle *vattr_handle = NULL;
/*
cos_cache_init
@@ -314,6 +314,15 @@ cos_cache_init(void)
goto out;
}
+ if (slapi_vattrspi_register((vattr_sp_handle **)&vattr_handle,
+ cos_cache_vattr_get,
+ cos_cache_vattr_compare,
+ cos_cache_vattr_types) != 0) {
+ slapi_log_err(SLAPI_LOG_ERR, COS_PLUGIN_SUBSYSTEM, "cos_cache_init - Cannot register as service provider\n");
+ ret = -1;
+ goto out;
+ }
+
/* grab the views interface */
if (slapi_apib_get_interface(Views_v1_0_GUID, &views_api)) {
/* lets be tolerant if views is disabled */
@@ -847,22 +856,7 @@ cos_dn_defs_cb(Slapi_Entry *e, void *callback_data)
dnVals[valIndex]->bv_val);
}
- /*
- * Each SP_handle is associated to one and only one vattr.
- * We could consider making this a single function rather
- * than the double-call.
- */
-
- vattr_sp_handle *vattr_handle = NULL;
-
- if (slapi_vattrspi_register((vattr_sp_handle **)&vattr_handle,
- cos_cache_vattr_get,
- cos_cache_vattr_compare,
- cos_cache_vattr_types) != 0) {
- slapi_log_err(SLAPI_LOG_ERR, COS_PLUGIN_SUBSYSTEM, "cos_cache_init - Cannot register as service provider for %s\n", dnVals[valIndex]->bv_val);
- } else {
- slapi_vattrspi_regattr((vattr_sp_handle *)vattr_handle, dnVals[valIndex]->bv_val, NULL, NULL);
- }
+ slapi_vattrspi_regattr((vattr_sp_handle *)vattr_handle, dnVals[valIndex]->bv_val, NULL, NULL);
} /* if(attrType is cosAttribute) */
diff --git a/ldap/servers/slapd/vattr.c b/ldap/servers/slapd/vattr.c
index 432946c79..13e527188 100644
--- a/ldap/servers/slapd/vattr.c
+++ b/ldap/servers/slapd/vattr.c
@@ -1544,6 +1544,7 @@ struct _vattr_sp_handle
vattr_sp *sp;
struct _vattr_sp_handle *next; /* So we can link them together in the map */
void *hint; /* Hint to the SP */
+ uint64_t rc;
};
/* Calls made by Service Providers */
@@ -1770,7 +1771,7 @@ is a separate thing in the insterests of stability.
*/
-#define VARRT_MAP_HASHTABLE_SIZE 10
+#define VARRT_MAP_HASHTABLE_SIZE 32
/* Attribute map oject */
/* Needs to contain: a linked list of pointers to provider handles handles,
@@ -1867,7 +1868,10 @@ vattr_map_entry_free(vattr_map_entry *vae)
vattr_sp_handle *list_entry = vae->sp_list;
while (list_entry != NULL) {
vattr_sp_handle *next_entry = list_entry->next;
- slapi_ch_free((void **)&list_entry);
+ if (slapi_atomic_decr_64(&(list_entry->rc), __ATOMIC_RELAXED) == 0) {
+ /* Only free on RC 0 */
+ slapi_ch_free((void **)&list_entry);
+ }
list_entry = next_entry;
}
slapi_ch_free_string(&(vae->type_name));
@@ -2280,6 +2284,17 @@ to handle the calls on it, but return nothing */
*
* Better idea, is that regattr should just take the fn pointers
* and callers never *see* the sp_handle structure at all.
+ *
+ * This leaves us with some quirks today. First: if you have plugin A
+ * and B, A registers attr 1 and B 1 and 2, it's possible that if you
+ * register A1 first, then B1, you have B->A in next. Then when you
+ * register B2, because we take 0==result from map_lookup, we add sp
+ * "as is" to the map. This means that B2 now has the same next to A1
+ * handle. This won't add a bug, because A1 won't be able to service the
+ * attr, but it could cause some head scratching ...
+ *
+ * Again, to fix this, the whole vattr external interface needs a
+ * redesign ... :(
*/
int
@@ -2304,11 +2319,15 @@ vattr_map_sp_insert(char *type_to_add, vattr_sp_handle *sp, void *hint)
if (found) {
return 0;
}
+ /* Increase the ref count of the sphandle */
+ slapi_atomic_incr_64(&(sp->rc), __ATOMIC_RELAXED);
/* We insert the SP handle into the linked list at the head */
sp->next = map_entry->sp_list;
map_entry->sp_list = sp;
} else {
/* If not, add it */
+ /* Claim a reference on the sp ... */
+ slapi_atomic_incr_64(&(sp->rc), __ATOMIC_RELAXED);
map_entry = vattr_map_entry_new(type_to_add, sp, hint);
if (NULL == map_entry) {
return ENOMEM;
--
2.13.6

215
SOURCES/0044-Ticket-48184-close-connections-at-shutdown-cleanly.patch Normal file
View file

@ -0,0 +1,215 @@
From 0c1fbfaf77d6f7b2a6628deaf309bbe1c3e7a8e8 Mon Sep 17 00:00:00 2001
From: William Brown <firstyear@redhat.com>
Date: Tue, 28 Nov 2017 13:39:19 +0100
Subject: [PATCH] Ticket 48184 - close connections at shutdown cleanly.
Bug Description: During shutdown we would not close connections.
In the past this may have just been an annoyance, but now with the way
nunc-stans works, io events can still trigger on open xeisting connectinos
during shutdown.
Fix Description: Close connections during shutdown rather than
leaving them alive.
https://pagure.io/389-ds-base/issue/48184
Author: wibrown
Review by: lkrispen, vashirov (Thank you!)
---
ldap/servers/slapd/conntable.c | 13 +++++++
ldap/servers/slapd/daemon.c | 77 ++++++++++++++++++++++++++----------------
ldap/servers/slapd/fe.h | 1 +
ldap/servers/slapd/slap.h | 1 +
4 files changed, 63 insertions(+), 29 deletions(-)
diff --git a/ldap/servers/slapd/conntable.c b/ldap/servers/slapd/conntable.c
index 7c57b47cd..f2f763dfa 100644
--- a/ldap/servers/slapd/conntable.c
+++ b/ldap/servers/slapd/conntable.c
@@ -91,6 +91,19 @@ connection_table_abandon_all_operations(Connection_Table *ct)
}
}
+void
+connection_table_disconnect_all(Connection_Table *ct)
+{
+ for (size_t i = 0; i < ct->size; i++) {
+ if (ct->c[i].c_mutex) {
+ Connection *c = &(ct->c[i]);
+ PR_EnterMonitor(c->c_mutex);
+ disconnect_server_nomutex(c, c->c_connid, -1, SLAPD_DISCONNECT_ABORT, ECANCELED);
+ PR_ExitMonitor(c->c_mutex);
+ }
+ }
+}
+
/* Given a file descriptor for a socket, this function will return
* a slot in the connection table to use.
*
diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
index 4e0466ab3..c245a4d4e 100644
--- a/ldap/servers/slapd/daemon.c
+++ b/ldap/servers/slapd/daemon.c
@@ -1176,6 +1176,30 @@ slapd_daemon(daemon_ports_t *ports, ns_thrpool_t *tp)
housekeeping_stop(); /* Run this after op_thread_cleanup() logged sth */
disk_monitoring_stop();
+ /*
+ * Now that they are abandonded, we need to mark them as done.
+ * In NS while it's safe to allow excess jobs to be cleaned by
+ * by the walk and ns_job_done of remaining queued events, the
+ * issue is that if we allow something to live past this point
+ * the CT is freed from underneath, and bad things happen (tm).
+ *
+ * NOTE: We do this after we stop psearch, because there could
+ * be a race between flagging the psearch done, and users still
+ * try to send on the connection. Similar with op_threads.
+ */
+ connection_table_disconnect_all(the_connection_table);
+
+ /*
+ * WARNING: Normally we should close the tp in main
+ * but because of issues in the current connection design
+ * we need to close it here to guarantee events won't fire!
+ *
+ * All the connection close jobs "should" complete before
+ * shutdown at least.
+ */
+ ns_thrpool_shutdown(tp);
+ ns_thrpool_wait(tp);
+
threads = g_get_active_threadcnt();
if (threads > 0) {
slapi_log_err(SLAPI_LOG_INFO, "slapd_daemon",
@@ -1628,23 +1652,18 @@ ns_handle_closure(struct ns_job_t *job)
Connection *c = (Connection *)ns_job_get_data(job);
int do_yield = 0;
-/* this function must be called from the event loop thread */
-#ifdef DEBUG
- PR_ASSERT(0 == NS_JOB_IS_THREAD(ns_job_get_type(job)));
-#else
- /* This doesn't actually confirm it's in the event loop thread, but it's a start */
- if (NS_JOB_IS_THREAD(ns_job_get_type(job)) != 0) {
- slapi_log_err(SLAPI_LOG_ERR, "ns_handle_closure", "Attempt to close outside of event loop thread %" PRIu64 " for fd=%d\n",
- c->c_connid, c->c_sd);
- return;
- }
-#endif
PR_EnterMonitor(c->c_mutex);
+ /* Assert we really have the right job state. */
+ PR_ASSERT(job == c->c_job);
+
connection_release_nolock_ext(c, 1); /* release ref acquired for event framework */
PR_ASSERT(c->c_ns_close_jobs == 1); /* should be exactly 1 active close job - this one */
c->c_ns_close_jobs--; /* this job is processing closure */
+ /* Because handle closure will add a new job, we need to detach our current one. */
+ c->c_job = NULL;
do_yield = ns_handle_closure_nomutex(c);
PR_ExitMonitor(c->c_mutex);
+ /* Remove this task now. */
ns_job_done(job);
if (do_yield) {
/* closure not done - another reference still outstanding */
@@ -1667,6 +1686,14 @@ ns_connection_post_io_or_closing(Connection *conn)
return;
}
+ /*
+ * Cancel any existing ns jobs we have registered.
+ */
+ if (conn->c_job != NULL) {
+ ns_job_done(conn->c_job);
+ conn->c_job = NULL;
+ }
+
if (CONN_NEEDS_CLOSING(conn)) {
/* there should only ever be 0 or 1 active closure jobs */
PR_ASSERT((conn->c_ns_close_jobs == 0) || (conn->c_ns_close_jobs == 1));
@@ -1676,13 +1703,10 @@ ns_connection_post_io_or_closing(Connection *conn)
conn->c_connid, conn->c_sd);
return;
} else {
- /* just make sure we schedule the event to be closed in a timely manner */
- tv.tv_sec = 0;
- tv.tv_usec = slapd_wakeup_timer * 1000;
conn->c_ns_close_jobs++; /* now 1 active closure job */
connection_acquire_nolock_ext(conn, 1 /* allow acquire even when closing */); /* event framework now has a reference */
- ns_result_t job_result = ns_add_timeout_job(conn->c_tp, &tv, NS_JOB_TIMER,
- ns_handle_closure, conn, NULL);
+ /* Close the job asynchronously. Why? */
+ ns_result_t job_result = ns_add_job(conn->c_tp, NS_JOB_TIMER, ns_handle_closure, conn, &(conn->c_job));
if (job_result != NS_SUCCESS) {
if (job_result == NS_SHUTDOWN) {
slapi_log_err(SLAPI_LOG_INFO, "ns_connection_post_io_or_closing", "post closure job "
@@ -1726,7 +1750,7 @@ ns_connection_post_io_or_closing(Connection *conn)
#endif
ns_result_t job_result = ns_add_io_timeout_job(conn->c_tp, conn->c_prfd, &tv,
NS_JOB_READ | NS_JOB_PRESERVE_FD,
- ns_handle_pr_read_ready, conn, NULL);
+ ns_handle_pr_read_ready, conn, &(conn->c_job));
if (job_result != NS_SUCCESS) {
if (job_result == NS_SHUTDOWN) {
slapi_log_err(SLAPI_LOG_INFO, "ns_connection_post_io_or_closing", "post I/O job for "
@@ -1755,19 +1779,13 @@ ns_handle_pr_read_ready(struct ns_job_t *job)
int maxthreads = config_get_maxthreadsperconn();
Connection *c = (Connection *)ns_job_get_data(job);
-/* this function must be called from the event loop thread */
-#ifdef DEBUG
- PR_ASSERT(0 == NS_JOB_IS_THREAD(ns_job_get_type(job)));
-#else
- /* This doesn't actually confirm it's in the event loop thread, but it's a start */
- if (NS_JOB_IS_THREAD(ns_job_get_type(job)) != 0) {
- slapi_log_err(SLAPI_LOG_ERR, "ns_handle_pr_read_ready", "Attempt to handle read ready outside of event loop thread %" PRIu64 " for fd=%d\n",
- c->c_connid, c->c_sd);
- return;
- }
-#endif
-
PR_EnterMonitor(c->c_mutex);
+ /* Assert we really have the right job state. */
+ PR_ASSERT(job == c->c_job);
+
+ /* On all code paths we remove the job, so set it null now */
+ c->c_job = NULL;
+
slapi_log_err(SLAPI_LOG_CONNS, "ns_handle_pr_read_ready", "activity on conn %" PRIu64 " for fd=%d\n",
c->c_connid, c->c_sd);
/* if we were called due to some i/o event, see what the state of the socket is */
@@ -1826,6 +1844,7 @@ ns_handle_pr_read_ready(struct ns_job_t *job)
slapi_log_err(SLAPI_LOG_CONNS, "ns_handle_pr_read_ready", "queued conn %" PRIu64 " for fd=%d\n",
c->c_connid, c->c_sd);
}
+ /* Since we call done on the job, we need to remove it here. */
PR_ExitMonitor(c->c_mutex);
ns_job_done(job);
return;
diff --git a/ldap/servers/slapd/fe.h b/ldap/servers/slapd/fe.h
index 4d25a9fb8..f47bb6145 100644
--- a/ldap/servers/slapd/fe.h
+++ b/ldap/servers/slapd/fe.h
@@ -100,6 +100,7 @@ extern Connection_Table *the_connection_table; /* JCM - Exported from globals.c
Connection_Table *connection_table_new(int table_size);
void connection_table_free(Connection_Table *ct);
void connection_table_abandon_all_operations(Connection_Table *ct);
+void connection_table_disconnect_all(Connection_Table *ct);
Connection *connection_table_get_connection(Connection_Table *ct, int sd);
int connection_table_move_connection_out_of_active_list(Connection_Table *ct, Connection *c);
void connection_table_move_connection_on_to_active_list(Connection_Table *ct, Connection *c);
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index 830944f72..08754d8fb 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -1644,6 +1644,7 @@ typedef struct conn
void *c_io_layer_cb_data; /* callback data */
struct connection_table *c_ct; /* connection table that this connection belongs to */
ns_thrpool_t *c_tp; /* thread pool for this connection */
+ struct ns_job_t *c_job; /* If it exists, the current ns_job_t */
int c_ns_close_jobs; /* number of current close jobs */
char *c_ipaddr; /* ip address str - used by monitor */
} Connection;
--
2.13.6

171
SOURCES/0044-Ticket-49246-ns-slapd-crashes-in-role-cache-creation.patch
View file

@ -1,171 +0,0 @@
From 18491418e661b5dc1b9ca4c6bb4adb85bfb0bf0d Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 9 May 2017 16:31:52 -0400
Subject: [PATCH] Ticket 49246 - ns-slapd crashes in role cache creation
Bug Description: Using a nested filter for a filtered role can
cause a crash. This was due to the way the filter
was being checked by the roles plugin.
Fix Description: Properly resurse over a filter.
https://pagure.io/389-ds-base/issue/49246
Reviewed by: firstyear & tbordaz(Thanks!!)
(cherry picked from commit 54e4fca35899550e0c25b25e7f7c756302d258ce)
---
dirsrvtests/tests/tickets/ticket49122_test.py | 61 ++++++++++++++++++---------
ldap/servers/plugins/roles/roles_cache.c | 34 +++++++++++----
2 files changed, 66 insertions(+), 29 deletions(-)
diff --git a/dirsrvtests/tests/tickets/ticket49122_test.py b/dirsrvtests/tests/tickets/ticket49122_test.py
index ff1e8d1..0945122 100644
--- a/dirsrvtests/tests/tickets/ticket49122_test.py
+++ b/dirsrvtests/tests/tickets/ticket49122_test.py
@@ -2,8 +2,7 @@ import time
import ldap
import logging
import pytest
-from lib389 import DirSrv, Entry, tools, tasks
-from lib389.tools import DirSrvTools
+from lib389 import Entry
from lib389._constants import *
from lib389.properties import *
from lib389.tasks import *
@@ -19,6 +18,15 @@ log = logging.getLogger(__name__)
USER_DN = 'uid=user,' + DEFAULT_SUFFIX
ROLE_DN = 'cn=Filtered_Role_That_Includes_Empty_Role,' + DEFAULT_SUFFIX
+filters = ['nsrole=cn=empty,dc=example,dc=com',
+ '(nsrole=cn=empty,dc=example,dc=com)',
+ '(&(nsrole=cn=empty,dc=example,dc=com))',
+ '(!(nsrole=cn=empty,dc=example,dc=com))',
+ '(&(|(objectclass=person)(sn=app*))(userpassword=*))',
+ '(&(|(objectclass=person)(nsrole=cn=empty,dc=example,dc=com))(userpassword=*))',
+ '(&(|(nsrole=cn=empty,dc=example,dc=com)(sn=app*))(userpassword=*))',
+ '(&(|(objectclass=person)(sn=app*))(nsrole=cn=empty,dc=example,dc=com))',
+ '(&(|(&(cn=*)(objectclass=person)(nsrole=cn=empty,dc=example,dc=com)))(uid=*))']
def test_ticket49122(topo):
@@ -29,18 +37,6 @@ def test_ticket49122(topo):
topo.standalone.plugins.enable(name=PLUGIN_ROLES)
topo.standalone.restart()
- # Add invalid role
- try:
- topo.standalone.add_s(Entry((
- ROLE_DN, {'objectclass': ['top', 'ldapsubentry', 'nsroledefinition',
- 'nscomplexroledefinition', 'nsfilteredroledefinition'],
- 'cn': 'Filtered_Role_That_Includes_Empty_Role',
- 'nsRoleFilter': '(!(nsrole=cn=This_Is_An_Empty_Managed_NsRoleDefinition,dc=example,dc=com))',
- 'description': 'A filtered role with filter that will crash the server'})))
- except ldap.LDAPError as e:
- topo.standalone.log.fatal('Failed to add filtered role: error ' + e.message['desc'])
- assert False
-
# Add test user
try:
topo.standalone.add_s(Entry((
@@ -51,16 +47,39 @@ def test_ticket49122(topo):
assert False
if DEBUGGING:
- # Add debugging steps(if any)...
print("Attach gdb")
time.sleep(20)
- # Search for the role
- try:
- topo.standalone.search_s(USER_DN, ldap.SCOPE_SUBTREE, 'objectclass=*', ['nsrole'])
- except ldap.LDAPError as e:
- topo.standalone.log.fatal('Search failed: error ' + str(e))
- assert False
+ # Loop over filters
+ for role_filter in filters:
+ log.info('Testing filter: ' + role_filter)
+
+ # Add invalid role
+ try:
+ topo.standalone.add_s(Entry((
+ ROLE_DN, {'objectclass': ['top', 'ldapsubentry', 'nsroledefinition',
+ 'nscomplexroledefinition', 'nsfilteredroledefinition'],
+ 'cn': 'Filtered_Role_That_Includes_Empty_Role',
+ 'nsRoleFilter': role_filter,
+ 'description': 'A filtered role with filter that will crash the server'})))
+ except ldap.LDAPError as e:
+ topo.standalone.log.fatal('Failed to add filtered role: error ' + e.message['desc'])
+ assert False
+
+ # Search for the role
+ try:
+ topo.standalone.search_s(USER_DN, ldap.SCOPE_SUBTREE, 'objectclass=*', ['nsrole'])
+ except ldap.LDAPError as e:
+ topo.standalone.log.fatal('Search failed: error ' + str(e))
+ assert False
+
+ # Cleanup
+ try:
+ topo.standalone.delete_s(ROLE_DN)
+ except ldap.LDAPError as e:
+ topo.standalone.log.fatal('delete failed: error ' + str(e))
+ assert False
+ time.sleep(1)
topo.standalone.log.info('Test Passed')
diff --git a/ldap/servers/plugins/roles/roles_cache.c b/ldap/servers/plugins/roles/roles_cache.c
index 4f27c4c..3697eaa 100644
--- a/ldap/servers/plugins/roles/roles_cache.c
+++ b/ldap/servers/plugins/roles/roles_cache.c
@@ -1073,20 +1073,38 @@ static int roles_cache_create_role_under(roles_cache_def** roles_cache_suffix, S
}
/*
- * Check that we are not using nsrole in the filter
+ * Check that we are not using nsrole in the filter, recurse over all the
+ * nested filters.
*/
static int roles_check_filter(Slapi_Filter *filter_list)
{
Slapi_Filter *f;
char *type = NULL;
- for ( f = slapi_filter_list_first( filter_list );
- f != NULL;
- f = slapi_filter_list_next( filter_list, f ) )
- {
- slapi_filter_get_attribute_type(f, &type);
- if (strcasecmp(type, NSROLEATTR) == 0){
- return -1;
+ f = slapi_filter_list_first( filter_list );
+ if (f == NULL){
+ /* Single filter */
+ if (slapi_filter_get_attribute_type(filter_list, &type) == 0){
+ if (strcasecmp(type, NSROLEATTR) == 0){
+ return -1;
+ }
+ }
+ }
+ for ( ; f != NULL; f = slapi_filter_list_next(filter_list, f) ){
+ /* Complex filter */
+ if (slapi_filter_list_first(f)) {
+ /* Another filter list - recurse */
+ if (roles_check_filter(f) == -1){
+ /* Done, break out */
+ return -1;
+ }
+ } else {
+ /* Not a filter list, so check the type */
+ if (slapi_filter_get_attribute_type(f, &type) == 0){
+ if (strcasecmp(type, NSROLEATTR) == 0){
+ return -1;
+ }
+ }
}
}
--
2.9.4

84
SOURCES/0045-Ticket-49258-Allow-nsslapd-cache-autosize-to-be-modi.patch
View file

@ -1,84 +0,0 @@
From e0cb3e9ff5337cfc4ecaa6fa5efa189b7bc16246 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 15 May 2017 11:14:43 -0400
Subject: [PATCH 05/10] Ticket 49258 - Allow nsslapd-cache-autosize to be
modified while the server is running
Bug Description: Previously you're not allowed to set nsslapd-cache-autosize, and
nsslapd-cache-autosize-set while the server was running. The only
way to set it was to edit the dse.ldif
Fix Description: Allow it to be set while the server is running. Also added value
validation for these settigs
https://pagure.io/389-ds-base/issue/49258
Reviewed by: tbordaz(Thanks!)
(cherry picked from commit 2d07ca48f9c1232fc544361b5103d353e4791a72)
---
ldap/servers/slapd/back-ldbm/ldbm_config.c | 34 ++++++++++++++++++++++++------
1 file changed, 28 insertions(+), 6 deletions(-)
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_config.c b/ldap/servers/slapd/back-ldbm/ldbm_config.c
index 401cd60..f7edd9e 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_config.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_config.c
@@ -1197,8 +1197,19 @@ static int ldbm_config_cache_autosize_set(void *arg, void *value, char *errorbuf
{
struct ldbminfo *li = (struct ldbminfo *)arg;
- if (apply)
- li->li_cache_autosize = (int)((uintptr_t)value);
+ if (apply) {
+ int val = (int)((uintptr_t)value);
+ if (val < 0 || val > 100) {
+ slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
+ "Error: Invalid value for %s (%d). The value must be between \"0\" and \"100\"\n",
+ CONFIG_CACHE_AUTOSIZE, val);
+ slapi_log_err(SLAPI_LOG_ERR, "ldbm_config_cache_autosize_set",
+ "Invalid value for %s (%d). The value must be between \"0\" and \"100\"\n",
+ CONFIG_CACHE_AUTOSIZE, val);
+ return LDAP_UNWILLING_TO_PERFORM;
+ }
+ li->li_cache_autosize = val;
+ }
return LDAP_SUCCESS;
}
@@ -1214,8 +1225,19 @@ static int ldbm_config_cache_autosize_split_set(void *arg, void *value, char *er
{
struct ldbminfo *li = (struct ldbminfo *)arg;
- if (apply)
- li->li_cache_autosize_split = (int)((uintptr_t)value);
+ if (apply) {
+ int val = (int)((uintptr_t)value);
+ if (val < 0 || val > 100) {
+ slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
+ "Error: Invalid value for %s (%d). The value must be between \"0\" and \"100\"\n",
+ CONFIG_CACHE_AUTOSIZE_SPLIT, val);
+ slapi_log_err(SLAPI_LOG_ERR, "ldbm_config_cache_autosize_split_set",
+ "Invalid value for %s (%d). The value must be between \"0\" and \"100\"\n",
+ CONFIG_CACHE_AUTOSIZE_SPLIT, val);
+ return LDAP_UNWILLING_TO_PERFORM;
+ }
+ li->li_cache_autosize_split = val;
+ }
return LDAP_SUCCESS;
}
@@ -1582,8 +1604,8 @@ static config_info ldbm_config[] = {
{CONFIG_DB_DEBUG_CHECKPOINTING, CONFIG_TYPE_ONOFF, "off", &ldbm_config_db_debug_checkpointing_get, &ldbm_config_db_debug_checkpointing_set, 0},
{CONFIG_DB_HOME_DIRECTORY, CONFIG_TYPE_STRING, "", &ldbm_config_db_home_directory_get, &ldbm_config_db_home_directory_set, 0},
{CONFIG_IMPORT_CACHE_AUTOSIZE, CONFIG_TYPE_INT, "-1", &ldbm_config_import_cache_autosize_get, &ldbm_config_import_cache_autosize_set, CONFIG_FLAG_ALWAYS_SHOW|CONFIG_FLAG_ALLOW_RUNNING_CHANGE},
- {CONFIG_CACHE_AUTOSIZE, CONFIG_TYPE_INT, "10", &ldbm_config_cache_autosize_get, &ldbm_config_cache_autosize_set, 0},
- {CONFIG_CACHE_AUTOSIZE_SPLIT, CONFIG_TYPE_INT, "40", &ldbm_config_cache_autosize_split_get, &ldbm_config_cache_autosize_split_set, 0},
+ {CONFIG_CACHE_AUTOSIZE, CONFIG_TYPE_INT, "10", &ldbm_config_cache_autosize_get, &ldbm_config_cache_autosize_set, CONFIG_FLAG_ALWAYS_SHOW|CONFIG_FLAG_ALLOW_RUNNING_CHANGE},
+ {CONFIG_CACHE_AUTOSIZE_SPLIT, CONFIG_TYPE_INT, "40", &ldbm_config_cache_autosize_split_get, &ldbm_config_cache_autosize_split_set, CONFIG_FLAG_ALWAYS_SHOW|CONFIG_FLAG_ALLOW_RUNNING_CHANGE},
{CONFIG_IMPORT_CACHESIZE, CONFIG_TYPE_SIZE_T, "16777216", &ldbm_config_import_cachesize_get, &ldbm_config_import_cachesize_set, CONFIG_FLAG_ALWAYS_SHOW|CONFIG_FLAG_ALLOW_RUNNING_CHANGE},
{CONFIG_IDL_SWITCH, CONFIG_TYPE_STRING, "new", &ldbm_config_idl_get_idl_new, &ldbm_config_idl_set_tune, CONFIG_FLAG_ALWAYS_SHOW},
{CONFIG_IDL_UPDATE, CONFIG_TYPE_ONOFF, "on", &ldbm_config_idl_get_update, &ldbm_config_idl_set_update, 0},
--
2.9.4

239
SOURCES/0045-Ticket-49509-Indexing-of-internationalized-matching-.patch Normal file
View file

@ -0,0 +1,239 @@
From 8d79d7c81157e77f4da595a723a6ed10a8e9789b Mon Sep 17 00:00:00 2001
From: Thierry Bordaz <tbordaz@redhat.com>
Date: Thu, 11 Jan 2018 18:52:43 +0100
Subject: [PATCH] Ticket 49509 - Indexing of internationalized matching rules
is failing
Bug Description:
Indexing of the internationalized matching rules tests if a
matching rule indexer handle or not a given OID.
A side effect of https://pagure.io/389-ds-base/issue/49097 is that
the returned indexing callbacks are lost.
Indeed, the indexing callbacks (and potentially others fields) were
stored in the temporary pblock that was memcpy to the provided
pblock in case of success
Fix Description:
The fix basically restores the previous behavior but do not
memcpy pblock. It read/store the pblock fields that are
inputs/outputs of slapi_mr_indexer_create.
https://pagure.io/389-ds-base/issue/49509
Reviewed by: Ludwig Krispenz
Platforms tested: F23
Flag Day: no
Doc impact: no
---
ldap/servers/slapd/plugin_mr.c | 148 ++++++++++++++++++++++++++++-------------
1 file changed, 103 insertions(+), 45 deletions(-)
diff --git a/ldap/servers/slapd/plugin_mr.c b/ldap/servers/slapd/plugin_mr.c
index bd2baff6c..ca4fe00e1 100644
--- a/ldap/servers/slapd/plugin_mr.c
+++ b/ldap/servers/slapd/plugin_mr.c
@@ -143,6 +143,82 @@ plugin_mr_bind(char *oid, struct slapdplugin *plugin)
slapi_log_err(SLAPI_LOG_FILTER, "plugin_mr_bind", "<=\n");
}
+void
+mr_indexer_init_pb(Slapi_PBlock* src_pb, Slapi_PBlock* dst_pb)
+{
+ char* oid;
+ char *type;
+ uint32_t usage;
+ void *object;
+ IFP destroyFn;
+ IFP indexFn, indexSvFn;
+
+ /* matching rule plugin arguments */
+ slapi_pblock_get(src_pb, SLAPI_PLUGIN_MR_OID, &oid);
+ slapi_pblock_get(src_pb, SLAPI_PLUGIN_MR_TYPE, &type);
+ slapi_pblock_get(src_pb, SLAPI_PLUGIN_MR_USAGE, &usage);
+
+ slapi_pblock_set(dst_pb, SLAPI_PLUGIN_MR_OID, oid);
+ slapi_pblock_set(dst_pb, SLAPI_PLUGIN_MR_TYPE, type);
+ slapi_pblock_set(dst_pb, SLAPI_PLUGIN_MR_USAGE, &usage);
+
+ /* matching rule plugin functions */
+ slapi_pblock_get(src_pb, SLAPI_PLUGIN_MR_INDEX_FN, &indexFn);
+ slapi_pblock_get(src_pb, SLAPI_PLUGIN_MR_INDEX_SV_FN, &indexSvFn);
+
+ slapi_pblock_set(dst_pb, SLAPI_PLUGIN_MR_INDEX_FN, indexFn);
+ slapi_pblock_set(dst_pb, SLAPI_PLUGIN_MR_INDEX_SV_FN, indexSvFn);
+
+ /* common */
+ slapi_pblock_get(src_pb, SLAPI_PLUGIN_OBJECT, &object);
+ slapi_pblock_get(src_pb, SLAPI_PLUGIN_DESTROY_FN, &destroyFn);
+
+ slapi_pblock_set(dst_pb, SLAPI_PLUGIN_OBJECT, object);
+ slapi_pblock_set(dst_pb, SLAPI_PLUGIN_DESTROY_FN, destroyFn);
+
+
+}
+
+/*
+ * Retrieves the matching rule plugin able to index/sort the provided OID/type
+ *
+ * The Matching rules able to index/sort a given OID are stored in a global list: global_mr_oids
+ *
+ * The retrieval is done in 3 phases:
+ * - It first searches (in global_mr_oids) for the already bound OID->MR
+ * - Else, look first in old style MR plugin
+ * for each registered 'syntax' and 'matchingrule' plugins having a
+ * SLAPI_PLUGIN_MR_INDEXER_CREATE_FN, it binds (plugin_mr_bind) the first
+ * plugin that support the OID
+ * - Else, look in new style MR plugin
+ * for each registered 'syntax' and 'matchingrule' plugins, it binds (plugin_mr_bind) the first
+ * plugin that contains OID in its plg_mr_names
+ *
+ * Inputs:
+ * SLAPI_PLUGIN_MR_OID
+ * should contain the OID of the matching rule that you want used for indexing or sorting.
+ * SLAPI_PLUGIN_MR_TYPE
+ * should contain the attribute type that you want used for indexing or sorting.
+ * SLAPI_PLUGIN_MR_USAGE
+ * should specify if the indexer will be used for indexing (SLAPI_PLUGIN_MR_USAGE_INDEX)
+ * or for sorting (SLAPI_PLUGIN_MR_USAGE_SORT)
+ *
+ *
+ * Output:
+ *
+ * SLAPI_PLUGIN_MR_OID
+ * contain the OFFICIAL OID of the matching rule that you want used for indexing or sorting.
+ * SLAPI_PLUGIN_MR_INDEX_FN
+ * specifies the indexer function responsible for indexing or sorting of struct berval **
+ * SLAPI_PLUGIN_MR_INDEX_SV_FN
+ * specifies the indexer function responsible for indexing or sorting of Slapi_Value **
+ * SLAPI_PLUGIN_OBJECT
+ * contain any information that you want passed to the indexer function.
+ * SLAPI_PLUGIN_DESTROY_FN
+ * specifies the function responsible for freeing any memory allocated by this indexer factory function.
+ * For example, memory allocated for a structure that you pass to the indexer function using SLAPI_PLUGIN_OBJECT.
+ *
+ */
int /* an LDAP error code, hopefully LDAP_SUCCESS */
slapi_mr_indexer_create(Slapi_PBlock *opb)
{
@@ -152,28 +228,33 @@ int /* an LDAP error code, hopefully LDAP_SUCCESS */
IFP createFn = NULL;
struct slapdplugin *mrp = plugin_mr_find_registered(oid);
if (mrp != NULL) {
+ /* Great the matching OID -> MR plugin was already found, just reuse it */
if (!(rc = slapi_pblock_set(opb, SLAPI_PLUGIN, mrp)) &&
!(rc = slapi_pblock_get(opb, SLAPI_PLUGIN_MR_INDEXER_CREATE_FN, &createFn)) &&
createFn != NULL) {
rc = createFn(opb);
}
} else {
- /* call each plugin, until one is able to handle this request. */
+ /* We need to find in the MR plugins list, the MR plugin that will be able to handle OID
+ *
+ * It can be "old style" MR plugin (i.e. collation) that define indexer
+ *
+ * It can be "now style" MR plugin that contain OID string in 'plg_mr_names'
+ * (ie. ces, cis, bin...) where plg_mr_names is defined in 'mr_plugin_table' in each file
+ * ces.c, cis.c...
+ * New style MR plugin have NULL indexer create function but rather use a default indexer
+ */
+
+ /* Look for a old syntax-style mr plugin
+ * call each plugin, until one is able to handle this request.
+ */
rc = LDAP_UNAVAILABLE_CRITICAL_EXTENSION;
- // We need to get the type and usage from the caller.
- char *type;
- uint32_t usage;
- slapi_pblock_get(opb, SLAPI_PLUGIN_MR_TYPE, &type);
- slapi_pblock_get(opb, SLAPI_PLUGIN_MR_USAGE, &usage);
+
for (mrp = get_plugin_list(PLUGIN_LIST_MATCHINGRULE); mrp != NULL; mrp = mrp->plg_next) {
Slapi_PBlock *pb = slapi_pblock_new();
+ mr_indexer_init_pb(opb, pb);
slapi_pblock_set(pb, SLAPI_PLUGIN, mrp);
- /* From filtercmp.c and matchrule.c, these are the values we need to set. into pb */
- slapi_pblock_set(pb, SLAPI_PLUGIN_MR_OID, oid);
- slapi_pblock_set(pb, SLAPI_PLUGIN_MR_TYPE, type);
- slapi_pblock_set(pb, SLAPI_PLUGIN_MR_USAGE, &usage);
-
/* This is associated with the pb_plugin struct, so it comes with mrp */
if (slapi_pblock_get(pb, SLAPI_PLUGIN_MR_INDEXER_CREATE_FN, &createFn)) {
/* plugin not a matchingrule type */
@@ -185,14 +266,11 @@ int /* an LDAP error code, hopefully LDAP_SUCCESS */
IFP indexFn = NULL;
IFP indexSvFn = NULL;
/* These however, are in the pblock direct, so we need to copy them. */
- slapi_pblock_get(opb, SLAPI_PLUGIN_MR_INDEX_FN, &indexFn);
- slapi_pblock_get(opb, SLAPI_PLUGIN_MR_INDEX_SV_FN, &indexSvFn);
- slapi_pblock_set(pb, SLAPI_PLUGIN_MR_INDEX_FN, indexFn);
- slapi_pblock_set(pb, SLAPI_PLUGIN_MR_INDEX_SV_FN, indexSvFn);
+ slapi_pblock_get(pb, SLAPI_PLUGIN_MR_INDEX_FN, &indexFn);
+ slapi_pblock_get(pb, SLAPI_PLUGIN_MR_INDEX_SV_FN, &indexSvFn);
if (indexFn || indexSvFn) {
/* Success: this plugin can handle it. */
- /* call create on the opb? */
- createFn(opb);
+ mr_indexer_init_pb(pb, opb);
plugin_mr_bind(oid, mrp); /* for future reference */
rc = 0; /* success */
slapi_pblock_destroy(pb);
@@ -205,37 +283,12 @@ int /* an LDAP error code, hopefully LDAP_SUCCESS */
/* look for a new syntax-style mr plugin */
struct slapdplugin *pi = plugin_mr_find(oid);
if (pi) {
- Slapi_PBlock *pb = slapi_pblock_new();
- slapi_pblock_set(pb, SLAPI_PLUGIN_MR_OID, oid);
- slapi_pblock_set(pb, SLAPI_PLUGIN_MR_TYPE, type);
- slapi_pblock_set(pb, SLAPI_PLUGIN_MR_USAGE, &usage);
- slapi_pblock_set(pb, SLAPI_PLUGIN, pi);
- rc = default_mr_indexer_create(pb);
+ slapi_pblock_set(opb, SLAPI_PLUGIN, pi);
+ rc = default_mr_indexer_create(opb);
if (!rc) {
- /* On success, copy the needed values in. These are added by default_mr_indexer_create */
- void *pb_object = NULL;
- IFP destroy_fn = NULL;
- IFP index_fn = NULL;
- IFP index_sv_fn = NULL;
-
- slapi_pblock_get(pb, SLAPI_PLUGIN_OBJECT, &pb_object);
- slapi_pblock_get(pb, SLAPI_PLUGIN_DESTROY_FN, &destroy_fn);
- slapi_pblock_get(pb, SLAPI_PLUGIN_MR_INDEX_FN, &index_fn);
- slapi_pblock_get(pb, SLAPI_PLUGIN_MR_INDEX_SV_FN, &index_sv_fn);
-
- /* SLAPI_PLUGIN_MR_INDEXER_CREATE_FN, and SLAPI_PLUGIN_MR_FILTER_CREATE_FN, are part of pb_plugin */
- slapi_pblock_set(opb, SLAPI_PLUGIN, pi);
- slapi_pblock_set(opb, SLAPI_PLUGIN_MR_OID, oid);
- slapi_pblock_set(opb, SLAPI_PLUGIN_MR_TYPE, type);
- slapi_pblock_set(opb, SLAPI_PLUGIN_MR_USAGE, &usage);
- slapi_pblock_set(opb, SLAPI_PLUGIN_OBJECT, pb_object);
- slapi_pblock_set(opb, SLAPI_PLUGIN_DESTROY_FN, destroy_fn);
- slapi_pblock_set(opb, SLAPI_PLUGIN_MR_INDEX_FN, index_fn);
- slapi_pblock_set(opb, SLAPI_PLUGIN_MR_INDEX_SV_FN, index_sv_fn);
-
plugin_mr_bind(oid, pi); /* for future reference */
}
- slapi_pblock_destroy(pb);
+ slapi_pblock_set(opb, SLAPI_PLUGIN, NULL);
}
}
}
@@ -706,6 +759,11 @@ default_mr_indexer_create(Slapi_PBlock *pb)
slapi_pblock_set(pb, SLAPI_PLUGIN_MR_INDEX_FN, mr_wrap_mr_index_fn);
slapi_pblock_set(pb, SLAPI_PLUGIN_MR_INDEX_SV_FN, mr_wrap_mr_index_sv_fn);
slapi_pblock_set(pb, SLAPI_PLUGIN_DESTROY_FN, default_mr_indexer_destroy);
+
+ /* Note the two following setting are in the slapdplugin struct SLAPI_PLUGIN
+ * so they are not really output of the function but will just
+ * be stored in the bound (OID <--> plugin) list (plugin_mr_find_registered/plugin_mr_bind)
+ */
slapi_pblock_set(pb, SLAPI_PLUGIN_MR_INDEXER_CREATE_FN, default_mr_indexer_create);
slapi_pblock_set(pb, SLAPI_PLUGIN_MR_FILTER_CREATE_FN, default_mr_filter_create);
rc = 0;
--
2.13.6

156
SOURCES/0046-Ticket-49261-Fix-script-usage-and-man-pages.patch
View file

@ -1,156 +0,0 @@
From c0a50f26aa52bda451c5b5bce7fa2c7c2eb90fe6 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Wed, 17 May 2017 16:24:50 -0400
Subject: [PATCH] Ticket 49261 - Fix script usage and man pages
Description: We incorrectly said db2bak.pl and db2ldif.pl took a "-v" option,
but they did not. Plus the usage for some of the shell scripts
did not display "-v" option in the usage
https://pagure.io/389-ds-base/issue/49261
Reviewed by: tbordaz(Thanks!)
---
ldap/admin/src/scripts/db2bak.in | 3 ++-
ldap/admin/src/scripts/db2bak.pl.in | 2 +-
ldap/admin/src/scripts/db2index.in | 3 ++-
ldap/admin/src/scripts/db2ldif.in | 3 ++-
ldap/admin/src/scripts/db2ldif.pl.in | 2 +-
ldap/admin/src/scripts/vlvindex.in | 3 ++-
man/man8/vlvindex.8 | 6 +++++-
7 files changed, 15 insertions(+), 7 deletions(-)
diff --git a/ldap/admin/src/scripts/db2bak.in b/ldap/admin/src/scripts/db2bak.in
index e773b28..a13d2e2 100755
--- a/ldap/admin/src/scripts/db2bak.in
+++ b/ldap/admin/src/scripts/db2bak.in
@@ -13,11 +13,12 @@ export SHLIB_PATH
usage()
{
- echo "Usage: db2bak [archivedir] [-Z serverID] [-q] [-h]"
+ echo "Usage: db2bak [archivedir] [-Z serverID] [-q] [-v] [-h]"
echo "Options:"
echo " archivedir - Directory where the backup should be stored"
echo " -Z serverID - Server instance identifier"
echo " -q - Quiet mode - suppresses output"
+ echo " -v - Display version"
echo " -h - Display usage"
}
diff --git a/ldap/admin/src/scripts/db2bak.pl.in b/ldap/admin/src/scripts/db2bak.pl.in
index 73d4187..335285e 100644
--- a/ldap/admin/src/scripts/db2bak.pl.in
+++ b/ldap/admin/src/scripts/db2bak.pl.in
@@ -25,7 +25,7 @@ $dbtype = "ldbm database";
$i = 0;
sub usage {
- print(STDERR "Usage: db2bak.pl [-v] [-Z serverID] [-D rootdn] { -w password | -w - | -j filename } [-a backupdir]\n");
+ print(STDERR "Usage: db2bak.pl [-Z serverID] [-D rootdn] { -w password | -w - | -j filename } [-a backupdir]\n");
print(STDERR " [-t dbtype] [-P protocol] [-h]\n");
print(STDERR "Options:\n");
print(STDERR " -D rootdn - Directory Manager\n");
diff --git a/ldap/admin/src/scripts/db2index.in b/ldap/admin/src/scripts/db2index.in
index 04183d3..3fc4c2c 100755
--- a/ldap/admin/src/scripts/db2index.in
+++ b/ldap/admin/src/scripts/db2index.in
@@ -14,7 +14,7 @@ export SHLIB_PATH
usage ()
{
echo "Usage: db2index [-Z serverID] [-n backend | {-s includesuffix}* -t attribute[:indextypes[:matchingrules]]"
- echo " -T vlvTag] [-h]"
+ echo " -T vlvTag] [-v] [-h]"
echo "Options:"
echo " -Z serverID - Server instance identifier"
echo " -n backend - Backend database name. Example: userRoot"
@@ -26,6 +26,7 @@ usage ()
echo " - matchingrules: comma separated matrules"
echo " Example: -t foo:eq,pres"
echo " -T vlvTag - VLV index name"
+ echo " -v - Display version"
echo " -h - Display usage"
}
diff --git a/ldap/admin/src/scripts/db2ldif.in b/ldap/admin/src/scripts/db2ldif.in
index 08f30e4..95d2754 100755
--- a/ldap/admin/src/scripts/db2ldif.in
+++ b/ldap/admin/src/scripts/db2ldif.in
@@ -16,7 +16,7 @@ cwd=`pwd`
usage()
{
echo "Usage: db2ldif [-Z serverID] {-n backend_instance}* | {-s includesuffix}* [{-x excludesuffix}*] [-a outputfile]"
- echo " [-E] [-r] [-u] [-U] [-m] [-1] [-q] [-h]"
+ echo " [-E] [-r] [-u] [-U] [-m] [-1] [-q] [-v] [-h]"
echo "Note: either \"-n backend\" or \"-s includesuffix\" is required."
echo "Options:"
echo " -Z serverID - Server instance identifier"
@@ -31,6 +31,7 @@ usage()
echo " -m - Do not base64 encode values"
echo " -1 - Do not include version text"
echo " -q - Quiet mode - suppresses output"
+ echo " -v - Display version"
echo " -h - Display usage"
}
diff --git a/ldap/admin/src/scripts/db2ldif.pl.in b/ldap/admin/src/scripts/db2ldif.pl.in
index 179d236..0d220f0 100644
--- a/ldap/admin/src/scripts/db2ldif.pl.in
+++ b/ldap/admin/src/scripts/db2ldif.pl.in
@@ -38,7 +38,7 @@ $decrypt_on_export = 0;
$cwd = cwd();
sub usage {
- print(STDERR "Usage: db2ldif.pl [-v] [-Z serverID] [-D rootdn] { -w password | -w - | -j pwfilename }\n");
+ print(STDERR "Usage: db2ldif.pl [-Z serverID] [-D rootdn] { -w password | -w - | -j pwfilename }\n");
print(STDERR " [-P protocol] {-n backendname}* | {-s include}* [{-x exclude}*] [-h]\n");
print(STDERR " [-a filename] [-m] [-M] [-r] [-u] [-C] [-N] [-U] [-E] [-1] [-a filename]\n");
print(STDERR "Options:\n");
diff --git a/ldap/admin/src/scripts/vlvindex.in b/ldap/admin/src/scripts/vlvindex.in
index ba2a2b3..6820de4 100755
--- a/ldap/admin/src/scripts/vlvindex.in
+++ b/ldap/admin/src/scripts/vlvindex.in
@@ -13,7 +13,7 @@ export SHLIB_PATH
usage ()
{
- echo "Usage: vlvindex [-Z serverID] -n backendname | {-s includesuffix}* -T vlvTag [-d debuglevel] [-h]"
+ echo "Usage: vlvindex [-Z serverID] -n backendname | {-s includesuffix}* -T vlvTag [-d debuglevel] [-v] [-h]"
echo "Note: either \"-n backend\" or \"-s includesuffix\" are required."
echo "Options:"
echo " -Z serverID - Server instance identifier"
@@ -21,6 +21,7 @@ usage ()
echo " -s includessuffix - Suffix to index"
echo " -T vlvTag - VLV index name"
echo " -d debuglevel - Debugging level"
+ echo " -v - Display version"
echo " -h - Display usage"
}
diff --git a/man/man8/vlvindex.8 b/man/man8/vlvindex.8
index f3e1748..4d9497a 100644
--- a/man/man8/vlvindex.8
+++ b/man/man8/vlvindex.8
@@ -18,7 +18,7 @@
.SH NAME
vlvindex - Directory Server script for VLV indexing
.SH SYNOPSIS
-vlvindex [\-Z serverID] \-n backendname | {\-s includesuffix}* \-T vlvTag [\-d debuglevel] [\-h]
+vlvindex [\-Z serverID] \-n backendname | {\-s includesuffix}* \-T vlvTag [\-d debuglevel] [\-v] [\-h]
.SH DESCRIPTION
Creates virtual list view (VLV) indexes, known in the Directory Server Console as browsing indexes. VLV indexes introduce flexibility in the way search results are viewed. VLV index configuration must already exist prior to running this script. The Directory Server must be stopped before running this script.
.SH OPTIONS
@@ -40,6 +40,10 @@ This is the name of the vlv index entry under cn=config.
.B \fB\-d\fR \fIDebug Level\fR
Settings the debugging level.
.TP
+.B \fB\-v\fR
+.br
+Display the version.
+.TP
.B \fB\-h\fR
.br
Display the usage.
--
2.9.4

155
SOURCES/0046-Ticket-49493-heap-use-after-free-in-csn_as_string.patch Normal file
View file

@ -0,0 +1,155 @@
From a7a0db402b32dcec7fc93bcbef42174163ae9c12 Mon Sep 17 00:00:00 2001
From: Ludwig Krispenz <lkrispen@redhat.com>
Date: Tue, 12 Dec 2017 12:46:37 +0100
Subject: [PATCH] Ticket 49493 - heap use after free in csn_as_string
Bug: If write_changlog_and_ruv failed teh csn pending list was not properly
cleand and references to the prim csn were kept, but the prim csn was reset
Fix: check the return code for the mmr postop plugin and aset error codes properly
that will triger cancel_opcsn
Reviewed by: Thierry, thanks
Tested by: Viktor, thanks
---
ldap/servers/slapd/back-ldbm/ldbm_add.c | 22 +---------------------
ldap/servers/slapd/back-ldbm/ldbm_delete.c | 4 ++++
ldap/servers/slapd/back-ldbm/ldbm_modify.c | 4 ++++
ldap/servers/slapd/back-ldbm/ldbm_modrdn.c | 4 ++++
ldap/servers/slapd/back-ldbm/misc.c | 18 ++++++++++++++++++
ldap/servers/slapd/back-ldbm/proto-back-ldbm.h | 1 +
6 files changed, 32 insertions(+), 21 deletions(-)
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_add.c b/ldap/servers/slapd/back-ldbm/ldbm_add.c
index b7e17ad50..f29945a7e 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_add.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_add.c
@@ -22,7 +22,6 @@ extern char *hassubordinates;
static void delete_update_entrydn_operational_attributes(struct backentry *ep);
-static int set_error(Slapi_PBlock *pb, int retval, int ldap_result_code, char **ldap_result_message);
#define ADD_SET_ERROR(rc, error, count) \
{ \
(rc) = (error); \
@@ -1201,7 +1200,7 @@ ldbm_back_add(Slapi_PBlock *pb)
retval = plugin_call_mmr_plugin_postop(pb, NULL,SLAPI_PLUGIN_BE_TXN_POST_ADD_FN);
if (retval) {
- set_error(pb, retval, ldap_result_code, &ldap_result_message);
+ ldbm_set_error(pb, retval, &ldap_result_code, &ldap_result_message);
goto error_return;
}
@@ -1471,22 +1470,3 @@ delete_update_entrydn_operational_attributes(struct backentry *ep)
slapi_entry_attr_delete(ep->ep_entry, LDBM_ENTRYDN_STR);
}
-static int
-set_error(Slapi_PBlock *pb, int retval, int ldap_result_code, char **ldap_result_message)
-{
- int opreturn = 0;
- if (!ldap_result_code) {
- slapi_pblock_get(pb, SLAPI_RESULT_CODE, &ldap_result_code);
- }
- if (!ldap_result_code) {
- ldap_result_code = LDAP_OPERATIONS_ERROR;
- slapi_pblock_set(pb, SLAPI_RESULT_CODE, &ldap_result_code);
- }
- slapi_pblock_get(pb, SLAPI_PLUGIN_OPRETURN, &opreturn);
- if (!opreturn) {
- slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &retval);
- }
- slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
-
- return opreturn;
-}
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_delete.c b/ldap/servers/slapd/back-ldbm/ldbm_delete.c
index db463c18c..be0db1bd0 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_delete.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_delete.c
@@ -1276,6 +1276,10 @@ replace_entry:
}
retval = plugin_call_mmr_plugin_postop(pb, NULL,SLAPI_PLUGIN_BE_TXN_POST_DELETE_FN);
+ if (retval) {
+ ldbm_set_error(pb, retval, &ldap_result_code, &ldap_result_message);
+ goto error_return;
+ }
commit_return:
/* Release SERIAL LOCK */
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modify.c b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
index 7ee796fd2..cc4319e5f 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_modify.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
@@ -867,6 +867,10 @@ ldbm_back_modify(Slapi_PBlock *pb)
goto error_return;
}
retval = plugin_call_mmr_plugin_postop(pb, NULL,SLAPI_PLUGIN_BE_TXN_POST_MODIFY_FN);
+ if (retval) {
+ ldbm_set_error(pb, retval, &ldap_result_code, &ldap_result_message);
+ goto error_return;
+ }
/* Release SERIAL LOCK */
retval = dblayer_txn_commit(be, &txn);
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
index 2c0cb074e..93fb77dc9 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
@@ -1211,6 +1211,10 @@ ldbm_back_modrdn(Slapi_PBlock *pb)
goto error_return;
}
retval = plugin_call_mmr_plugin_postop(pb, NULL,SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN);
+ if (retval) {
+ ldbm_set_error(pb, retval, &ldap_result_code, &ldap_result_message);
+ goto error_return;
+ }
/* Release SERIAL LOCK */
retval = dblayer_txn_commit(be, &txn);
diff --git a/ldap/servers/slapd/back-ldbm/misc.c b/ldap/servers/slapd/back-ldbm/misc.c
index df1afdfb1..c52e58a4a 100644
--- a/ldap/servers/slapd/back-ldbm/misc.c
+++ b/ldap/servers/slapd/back-ldbm/misc.c
@@ -16,6 +16,24 @@
#include "back-ldbm.h"
+void
+ldbm_set_error(Slapi_PBlock *pb, int retval, int *ldap_result_code, char **ldap_result_message)
+{
+ int opreturn = 0;
+ if (!(*ldap_result_code)) {
+ slapi_pblock_get(pb, SLAPI_RESULT_CODE, ldap_result_code);
+ }
+ if (!(*ldap_result_code)) {
+ *ldap_result_code = LDAP_OPERATIONS_ERROR;
+ slapi_pblock_set(pb, SLAPI_RESULT_CODE, ldap_result_code);
+ }
+ slapi_pblock_get(pb, SLAPI_PLUGIN_OPRETURN, &opreturn);
+ if (!opreturn) {
+ slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, *ldap_result_code ? ldap_result_code : &retval);
+ }
+ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, ldap_result_message);
+}
+
/* Takes a return code supposed to be errno or from lidb
which we don't expect to see and prints a handy log message */
void
diff --git a/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h b/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h
index 0cee3df62..da3eef18b 100644
--- a/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h
+++ b/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h
@@ -379,6 +379,7 @@ int ldbm_txn_ruv_modify_context(Slapi_PBlock *pb, modify_context *mc);
int get_value_from_string(const char *string, char *type, char **value);
int get_values_from_string(const char *string, char *type, char ***valuearray);
void normalize_dir(char *dir);
+void ldbm_set_error(Slapi_PBlock *pb, int retval, int *ldap_result_code, char **ldap_result_message);
/*
* nextid.c
--
2.13.6

46
SOURCES/0047-Ticket-48864-Fix-FreeIPA-build.patch
View file

@ -1,46 +0,0 @@
From f007ba9e5ac0bbeee1c1d6b4e292b293629a838c Mon Sep 17 00:00:00 2001
From: Viktor Ashirov <vashirov@redhat.com>
Date: Wed, 17 May 2017 22:03:54 +0200
Subject: [PATCH] Issue 48864 - Fix FreeIPA build
Bug Description:
FreeIPA build fails because of incorrect include files
https://pagure.io/389-ds-base/issue/48864
Reviewed by: mreynolds (Thanks!)
---
ldap/servers/slapd/slapi-plugin.h | 2 +-
ldap/servers/slapd/slapi_pal.h | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
index ec8917d..4084945 100644
--- a/ldap/servers/slapd/slapi-plugin.h
+++ b/ldap/servers/slapd/slapi-plugin.h
@@ -28,7 +28,7 @@ extern "C" {
#endif
/* Provides our int types and platform specific requirements. */
-#include <slapi_pal.h>
+#include "slapi_pal.h"
#include "prtypes.h"
#include "ldap.h"
diff --git a/ldap/servers/slapd/slapi_pal.h b/ldap/servers/slapd/slapi_pal.h
index cb61d84..307679d 100644
--- a/ldap/servers/slapd/slapi_pal.h
+++ b/ldap/servers/slapd/slapi_pal.h
@@ -19,7 +19,9 @@
#pragma once
+#ifdef HAVE_CONFIG_H
#include <config.h>
+#endif
#ifdef HAVE_INTTYPES_H
#include <inttypes.h>
--
2.9.4

133
SOURCES/0047-Ticket-49524-Password-policy-minimum-token-length-fa.patch Normal file
View file

@ -0,0 +1,133 @@
From a85f64d2c4fa2718748a205d4ae0ebab47513199 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 8 Jan 2018 11:34:02 -0500
Subject: [PATCH] Ticket 49524 - Password policy: minimum token length fails
when the token length is equal to attribute length
Bug Description: The token checking breaks when the password is the
exact value of the entry attribute.
Fix Description: Remove the "equal" part of the string comparisons.
https://pagure.io/389-ds-base/issue/49524
Reviewed by: firstyear & spichugi(Thanks!!)
(cherry picked from commit 790be09fc434d394239bf2486d01f212b36cf0e3)
---
.../tests/suites/password/pwdPolicy_token_test.py | 75 ++++++++++++++++++++++
ldap/servers/slapd/pw.c | 2 +-
ldap/servers/slapd/utf8.c | 2 +-
3 files changed, 77 insertions(+), 2 deletions(-)
create mode 100644 dirsrvtests/tests/suites/password/pwdPolicy_token_test.py
diff --git a/dirsrvtests/tests/suites/password/pwdPolicy_token_test.py b/dirsrvtests/tests/suites/password/pwdPolicy_token_test.py
new file mode 100644
index 000000000..7a4de9c85
--- /dev/null
+++ b/dirsrvtests/tests/suites/password/pwdPolicy_token_test.py
@@ -0,0 +1,75 @@
+import logging
+import pytest
+import os
+import time
+import ldap
+from lib389._constants import *
+from lib389.idm.user import UserAccounts
+from lib389.topologies import topology_st as topo
+
+DEBUGGING = os.getenv("DEBUGGING", default=False)
+if DEBUGGING:
+ logging.getLogger(__name__).setLevel(logging.DEBUG)
+else:
+ logging.getLogger(__name__).setLevel(logging.INFO)
+log = logging.getLogger(__name__)
+
+USER_DN = 'uid=Test_user1,ou=People,dc=example,dc=com'
+TOKEN = 'test_user1'
+
+user_properties = {
+ 'uid': 'Test_user1',
+ 'cn': 'test_user1',
+ 'sn': 'test_user1',
+ 'uidNumber': '1001',
+ 'gidNumber': '2001',
+ 'userpassword': PASSWORD,
+ 'description': 'userdesc',
+ 'homeDirectory': '/home/{}'.format('test_user')}
+
+
+def pwd_setup(topo):
+ topo.standalone.config.replace_many(('passwordCheckSyntax', 'on'),
+ ('passwordMinLength', '4'),
+ ('passwordMinCategories', '1'))
+ users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
+ return users.create(properties=user_properties)
+
+
+def test_token_lengths(topo):
+ """Test that password token length is enforced for various lengths including
+ the same length as the attribute being checked by the policy.
+
+ :id: dae9d916-2a03-4707-b454-9e901d295b13
+ :setup: Standalone instance
+ :steps:
+ 1. Test token length rejects password of the same length as rdn value
+ :expectedresults:
+ 1. Passwords are rejected
+ """
+ user = pwd_setup(topo)
+ for length in ['4', '6', '10']:
+ topo.standalone.simple_bind_s(DN_DM, PASSWORD)
+ topo.standalone.config.set('passwordMinTokenLength', length)
+ topo.standalone.simple_bind_s(USER_DN, PASSWORD)
+ time.sleep(1)
+
+ try:
+ passwd = TOKEN[:int(length)]
+ log.info("Testing password len {} token ({})".format(length, passwd))
+ user.replace('userpassword', passwd)
+ log.fatal('Password incorrectly allowed!')
+ assert False
+ except ldap.CONSTRAINT_VIOLATION as e:
+ log.info('Password correctly rejected: ' + str(e))
+ except ldap.LDAPError as e:
+ log.fatal('Unexpected failure ' + str(e))
+ assert False
+
+
+if __name__ == '__main__':
+ # Run isolated
+ # -s for DEBUG mode
+ CURRENT_FILE = os.path.realpath(__file__)
+ pytest.main("-s %s" % CURRENT_FILE)
+
diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
index e625962e8..0cf795b41 100644
--- a/ldap/servers/slapd/pw.c
+++ b/ldap/servers/slapd/pw.c
@@ -1465,7 +1465,7 @@ check_trivial_words(Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Value **vals, char *
sp = slapi_ch_strdup(slapi_value_get_string(valp));
ep = sp + strlen(sp);
ep = ldap_utf8prevn(sp, ep, toklen);
- if (!ep || (sp >= ep)) {
+ if (!ep || (sp > ep)) {
slapi_ch_free_string(&sp);
continue;
}
diff --git a/ldap/servers/slapd/utf8.c b/ldap/servers/slapd/utf8.c
index b0667c636..4538625b3 100644
--- a/ldap/servers/slapd/utf8.c
+++ b/ldap/servers/slapd/utf8.c
@@ -152,7 +152,7 @@ ldap_utf8prevn(char *s, char *from, int n)
}
for (; n > 0; --n) {
prev = ldap_utf8prev(prev);
- if ((prev <= s) && (n > 0)) {
+ if ((n > 0) && (prev < s)) {
return NULL;
}
}
--
2.13.6

32
SOURCES/0048-Ticket-49157-fix-error-in-ds-logpipe.py.patch
View file

@ -1,32 +0,0 @@
From 33dc0b3fc6de5d7a400d24a69098ec1b23917e44 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 22 May 2017 12:25:42 -0400
Subject: [PATCH] Ticket 49157 - fix error in ds-logpipe.py
Description: Fix typo in ds-logpipe.py
https://pagure.io/389-ds-base/issue/49157
Reviewed by: mreynolds(one line commit rule)
(cherry picked from commit 15f5f6ac42768ae0cd2040cc4169abde8187bcdf)
---
ldap/admin/src/scripts/ds-logpipe.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ldap/admin/src/scripts/ds-logpipe.py b/ldap/admin/src/scripts/ds-logpipe.py
index 13712ea..f29a9ff 100644
--- a/ldap/admin/src/scripts/ds-logpipe.py
+++ b/ldap/admin/src/scripts/ds-logpipe.py
@@ -318,7 +318,7 @@ except OSError as e:
sys.exit(1)
else:
print("Failed to create log pipe - %s [error %d]" % (e.strerror, e.errno))
- sys.ext(1)
+ sys.exit(1)
if debug:
print("Listening to log pipe", logfname, "number of lines", maxlines)
--
2.9.4

41
SOURCES/0048-Ticket-49446-cleanallruv-should-ignore-cleaned-repli.patch Normal file
View file

@ -0,0 +1,41 @@
From 7fa2f146c80ed64217bb0c1022c99bd1948cdc7c Mon Sep 17 00:00:00 2001
From: Ludwig Krispenz <lkrispen@redhat.com>
Date: Thu, 11 Jan 2018 15:56:21 +0100
Subject: [PATCH] Ticket 49446 - cleanallruv should ignore cleaned replica Id
in processing changelog if in force mode
Bug: If the startcsn is calculated based on a cleaned rid, it could be missing from the changelog.
Fix: In force mode we do not care that the topology gets in sync for the cleaned RID, so we can ignore it
in an earlier stage, instead of setting it to precleane only.
Reviewed by: Thierry, thanks
---
ldap/servers/plugins/replication/repl5_replica_config.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c
index e025f34d8..005528a41 100644
--- a/ldap/servers/plugins/replication/repl5_replica_config.c
+++ b/ldap/servers/plugins/replication/repl5_replica_config.c
@@ -1688,9 +1688,15 @@ replica_cleanallruv_thread(void *arg)
}
/*
* Presetting the rid prevents duplicate thread creation, but allows the db and changelog to still
- * process updates from the rid. set_cleaned_rid() blocks updates, so we don't want to do that... yet.
+ * process updates from the rid.
+ * set_cleaned_rid() blocks updates, so we don't want to do that... yet unless we are in force mode.
+ * If we are forcing a clean independent of state of other servers for this RID we can set_cleaned_rid()
*/
- preset_cleaned_rid(data->rid);
+ if (data->force) {
+ set_cleaned_rid(data->rid);
+ } else {
+ preset_cleaned_rid(data->rid);
+ }
rid_text = slapi_ch_smprintf("%d", data->rid);
csn_as_string(data->maxcsn, PR_FALSE, csnstr);
/*
--
2.13.6

Some files were not shown because too many files have changed in this diff Show more